2024-010: Obtain, Review, and Document System and Organization Control Reports of Third-Party Service Providers
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-085; 2022-089; 2021-019
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Pandemic EBT Food Benefits - 10.542
Federal Award Number and Year: Not Applicable - 2024
Name of Federal Agency: U.S. Department of Agriculture
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Social Services continues to not obtain, review, and document System and Organization Controls (SOC) reports, specifically SOC 1, Type 2 reports, to gain assurance over its third-party service providers’ internal controls relevant to financial reporting. SOC 1, Type 2 reports address the service organization’s internal controls and the effect those internal controls may have on the user entity’s financial statements. Social Services uses service organizations to perform functions that are significant to its financial operations such as administering the electronic benefit transfer (EBT) process for several of its public assistance programs. For instance, during fiscal year 2024, one of Social Services’ third-party service providers issued more than $2 billion in financial assistance to beneficiaries on EBT cards.
Topic 10305 of the CAPP Manual requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment and maintain oversight over service providers to gain assurance over outsourced operations. Additionally, 2 CFR § 200.303(a) requires non-federal entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Social Services’ tasks contract administrators with responsibility for obtaining, reviewing, and documenting SOC 1, Type 2 reports. However, contract administrators are often not familiar with the CAPP Manual requirements, and Social Services has not made them aware of the expectations for obtaining, reviewing, and documenting SOC 1, Type 2 reports through a documented policy and procedure. As a result, contract administrators have not been obtaining, reviewing, and documenting SOC 1, Type 2 reports.
Without adopting a policy and procedure over SOC 1, Type 2 reports and communicating those expectations to contract administrators, Social Services is unable to ensure its complementary user entity controls are sufficient to support their reliance on the service providers’ control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC 1, Type 2 reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider’s environment by not obtaining the necessary SOC 1, Type 2 reports timely or properly documenting its review of the reports.
Social Services should designate a resource within the agency, who is knowledgeable of the CAPP Manual and SOC 1, Type 2 report requirements, with responsibility for developing an office-wide policy and procedure that contract administrators can use for obtaining, reviewing, and documenting SOC 1, Type 2 reports. At a minimum, Social Services’ policy and procedure should include the timeframes for obtaining SOC 1, Type 2 reports from service providers, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the staff responsible for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Thereafter, Social Services should communicate the policy and procedure to all individuals responsible for overseeing service provider operations to ensure compliance with federal and state regulations. Finally, Social Services should retain this information as part of its annual Agency Risk Management and Internal Control Standard certification.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-090: Improve Reporting to the National Student Loan Data System
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College; Old Dominion University; Radford University; University of Virginia; Virginia State University
Prior Year Finding Number: 2021-078; 2018-101
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 685.309
Known Questioned Costs: $0
The institutions noted below did not properly report accurate and/or timely enrollment data to the Department of Education (ED) using the National Student Loan Data System (NSLDS) in accordance with 34 CFR § 685.309 and the NSLDS Enrollment Guide, for students that had withdrawn, graduated or changed enrollment levels. The accuracy of Title IV enrollment data depends heavily on information reported by institutions. The institutions’ inaccurate and untimely enrollment data submissions to NSLDS can affect ED’s reliance on NSLDS for monitoring purposes and may interfere with establishing a student’s loan status, deferment privileges and grace periods. In addition, noncompliance may also impact an institution’s participation in Title IV programs.
George Mason University
GMU management determined the discrepancies in its enrollment reporting submissions were due to a lack of communication between the Office of the University Registrar and the Office of Student Financial Aid. From our sample of 40 students, we noted the following instances of noncompliance:
GMU reported an inaccurate enrollment status for seven students (18%);
GMU reported an inaccurate enrollment status effective date for nine students (23%);
GMU did not report enrollment status changes timely for seven students (18%);
GMU reported inaccurate information in at least one campus or program-level field deemed critical for nine students (23%); and
GMU did not provide evidence supporting that it reported accurate physical addresses in NSLDS for eight students (20%).
Norfolk State University
NSU management indicated the errors in its enrollment reporting submissions were due to staff turnover in the Office of the Registrar and programming issues within the student information system. From our sample of 39 students, we noted the following instances of noncompliance:
NSU reported an inaccurate enrollment status for six students (15%);
NSU reported an inaccurate enrollment status effective date for 26 students (67%);
NSU did not report enrollment status changes timely for one student (3%); and
NSU reported inaccurate information in at least one campus or program-level field deemed critical for 17 students (44%).
Northern Virginia Community College
A lack of management oversight in NVCC’s Registrar’s Office led to the discrepancies in its enrollment reporting submissions. From our sample of 40 students, we noted the following instances of noncompliance:
NVCC reported an inaccurate enrollment status for ten students (25%);
NVCC reported an inaccurate enrollment status effective date for 12 students (30%);
NVCC did not report enrollment status changes timely for eight students (20%);
NVCC reported inaccurate information in at least one campus or program-level field deemed critical for 14 students (35%); and
NVCC could not demonstrate proper approval for the academic program for one student (3%), since the academic program did not appear on the State Council of Higher Education for Virginia (SCHEV) degree inventory report.
Old Dominion University
ODU management indicated the errors in its enrollment reporting submission were due to staff turnover. From our sample of 50 students, we noted the following instances of noncompliance:
ODU reported an inaccurate enrollment status for nine students (18%);
ODU reported an inaccurate enrollment status effective date for 29 students (58%);
ODU did not report enrollment status changes timely for 15 students (30%); and
ODU reported inaccurate information in at least one campus or program-level field deemed critical for 29 students (58%).
Radford University
The primary cause of the discrepancies in RU’s enrollment reporting submissions was staff turnover and the time required for new staff to become proficient in their responsibilities. From our sample of 43 students, we noted the following instances of noncompliance:
RU reported an inaccurate enrollment status for one student (2%);
RU reported an inaccurate enrollment status effective date for three students (7%);
RU did not report enrollment status changes timely for 10 students (23%);
RU reported inaccurate information in at least one campus or program-level field deemed critical for three students (7%); and
RU could not demonstrate proper approval for the academic program for one student (2%), since the academic program did not appear on the SCHEV degree inventory report.
University of Virginia
The underlying causes for the discrepancies in UVA’s enrollment reporting submissions were data entry errors and batch processing issues. Specifically, UVA recorded a student’s social security number inaccurately in its Student Information System. Additionally, batch enrollment updates caused new data submissions to overwrite previous data, which resulted in deactivated and inaccurate enrollment records. From our review of 40 students, we noted the following instances of noncompliance:
UVA reported an inaccurate enrollment status effective date for four students (10%);
UVA did not report enrollment status changes timely for five students (13%); and
UVA reported inaccurate information in at least one campus or program-level field deemed critical for four students (10%).
Virginia State University
A lack of management oversight in VSU’s enrollment reporting process led to the discrepancies in its enrollment reporting submissions. From our sample of 49 students, we noted the following instances of noncompliance:
VSU reported an inaccurate enrollment status for three students (6%);
VSU reported an inaccurate enrollment status effective date for six students (12%);
VSU did not report enrollment status changes timely for 21 students (43%);
VSU reported inaccurate information in at least one campus or program-level field deemed critical for 10 students (20%);
VSU could not demonstrate proper approval for the academic program for eight students (16%), since the academic program did not appear on the SCHEV degree inventory report; and
The permanent address for two out of 39 applicable federal Direct Loan borrowers (5%) did not agree between the student information system and NSLDS.
Recommendation
Each institution should evaluate its current enrollment reporting procedures and implement corrective action to ensure it reports accurate and timely student enrollment data to NSLDS to prevent future noncompliance. Where applicable, institutions should also consider implementing a quality control review process to monitor the accuracy of campus and program-level batch submissions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-090: Improve Reporting to the National Student Loan Data System
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College; Old Dominion University; Radford University; University of Virginia; Virginia State University
Prior Year Finding Number: 2021-078; 2018-101
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 685.309
Known Questioned Costs: $0
The institutions noted below did not properly report accurate and/or timely enrollment data to the Department of Education (ED) using the National Student Loan Data System (NSLDS) in accordance with 34 CFR § 685.309 and the NSLDS Enrollment Guide, for students that had withdrawn, graduated or changed enrollment levels. The accuracy of Title IV enrollment data depends heavily on information reported by institutions. The institutions’ inaccurate and untimely enrollment data submissions to NSLDS can affect ED’s reliance on NSLDS for monitoring purposes and may interfere with establishing a student’s loan status, deferment privileges and grace periods. In addition, noncompliance may also impact an institution’s participation in Title IV programs.
George Mason University
GMU management determined the discrepancies in its enrollment reporting submissions were due to a lack of communication between the Office of the University Registrar and the Office of Student Financial Aid. From our sample of 40 students, we noted the following instances of noncompliance:
GMU reported an inaccurate enrollment status for seven students (18%);
GMU reported an inaccurate enrollment status effective date for nine students (23%);
GMU did not report enrollment status changes timely for seven students (18%);
GMU reported inaccurate information in at least one campus or program-level field deemed critical for nine students (23%); and
GMU did not provide evidence supporting that it reported accurate physical addresses in NSLDS for eight students (20%).
Norfolk State University
NSU management indicated the errors in its enrollment reporting submissions were due to staff turnover in the Office of the Registrar and programming issues within the student information system. From our sample of 39 students, we noted the following instances of noncompliance:
NSU reported an inaccurate enrollment status for six students (15%);
NSU reported an inaccurate enrollment status effective date for 26 students (67%);
NSU did not report enrollment status changes timely for one student (3%); and
NSU reported inaccurate information in at least one campus or program-level field deemed critical for 17 students (44%).
Northern Virginia Community College
A lack of management oversight in NVCC’s Registrar’s Office led to the discrepancies in its enrollment reporting submissions. From our sample of 40 students, we noted the following instances of noncompliance:
NVCC reported an inaccurate enrollment status for ten students (25%);
NVCC reported an inaccurate enrollment status effective date for 12 students (30%);
NVCC did not report enrollment status changes timely for eight students (20%);
NVCC reported inaccurate information in at least one campus or program-level field deemed critical for 14 students (35%); and
NVCC could not demonstrate proper approval for the academic program for one student (3%), since the academic program did not appear on the State Council of Higher Education for Virginia (SCHEV) degree inventory report.
Old Dominion University
ODU management indicated the errors in its enrollment reporting submission were due to staff turnover. From our sample of 50 students, we noted the following instances of noncompliance:
ODU reported an inaccurate enrollment status for nine students (18%);
ODU reported an inaccurate enrollment status effective date for 29 students (58%);
ODU did not report enrollment status changes timely for 15 students (30%); and
ODU reported inaccurate information in at least one campus or program-level field deemed critical for 29 students (58%).
Radford University
The primary cause of the discrepancies in RU’s enrollment reporting submissions was staff turnover and the time required for new staff to become proficient in their responsibilities. From our sample of 43 students, we noted the following instances of noncompliance:
RU reported an inaccurate enrollment status for one student (2%);
RU reported an inaccurate enrollment status effective date for three students (7%);
RU did not report enrollment status changes timely for 10 students (23%);
RU reported inaccurate information in at least one campus or program-level field deemed critical for three students (7%); and
RU could not demonstrate proper approval for the academic program for one student (2%), since the academic program did not appear on the SCHEV degree inventory report.
University of Virginia
The underlying causes for the discrepancies in UVA’s enrollment reporting submissions were data entry errors and batch processing issues. Specifically, UVA recorded a student’s social security number inaccurately in its Student Information System. Additionally, batch enrollment updates caused new data submissions to overwrite previous data, which resulted in deactivated and inaccurate enrollment records. From our review of 40 students, we noted the following instances of noncompliance:
UVA reported an inaccurate enrollment status effective date for four students (10%);
UVA did not report enrollment status changes timely for five students (13%); and
UVA reported inaccurate information in at least one campus or program-level field deemed critical for four students (10%).
Virginia State University
A lack of management oversight in VSU’s enrollment reporting process led to the discrepancies in its enrollment reporting submissions. From our sample of 49 students, we noted the following instances of noncompliance:
VSU reported an inaccurate enrollment status for three students (6%);
VSU reported an inaccurate enrollment status effective date for six students (12%);
VSU did not report enrollment status changes timely for 21 students (43%);
VSU reported inaccurate information in at least one campus or program-level field deemed critical for 10 students (20%);
VSU could not demonstrate proper approval for the academic program for eight students (16%), since the academic program did not appear on the SCHEV degree inventory report; and
The permanent address for two out of 39 applicable federal Direct Loan borrowers (5%) did not agree between the student information system and NSLDS.
Recommendation
Each institution should evaluate its current enrollment reporting procedures and implement corrective action to ensure it reports accurate and timely student enrollment data to NSLDS to prevent future noncompliance. Where applicable, institutions should also consider implementing a quality control review process to monitor the accuracy of campus and program-level batch submissions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-097: Improve Notification Process for Federal Direct Loan Awards to Students
Applicable to: Norfolk State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.165(a)(2)
Known Questioned Costs: $0
NSU Financial Aid Office staff did not provide proper federal Direct Loan notification for one of 25 (4%) borrowers. The Financial Aid Office manually enters data into the student information system which transmits the required notifications to borrowers. However, a staff member assigned to send notifications was out of the office and the Financial Aid Office did not have a designated back-up.
In accordance with 34 CFR § 668.165(a)(2), institutions should properly notify students receiving federal Direct Loans, in writing, of the date and amount of the disbursement, the student’s right to cancel all or a portion of a loan or loan disbursement, and the procedure and time by which the student must notify the institution that he or she wishes to cancel the loan. Additionally, 34 CFR § 668.165 (3) (i – ii) indicates that for Direct Loans, the institution must provide the notice in writing no earlier than 30 days before, and no later than 30 days after, crediting the student’s account at the institution if the institution obtains affirmative confirmation, and no later than seven days if the institution does not obtain an affirmative confirmation.
Not properly notifying students in accordance with federal regulations may result in adverse actions and impact participation in Title IV programs. Additionally, improper notification could limit the amount of time a student or parent has to make an informed decision on whether to accept or reject a loan. The Financial Aid Office should revise its existing procedures to cross train staff, thus providing for proper back-up when staff are absent. NSU management should ensure each federal Direct Loan borrower receives the required notification.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-099: Reconcile Federal Assistance Programs
Applicable to: Northern Virginia Community College
Prior Year Finding Number: 2021-073
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Cash Management - 34 CFR § 676.19(b)(2)
Known Questioned Costs: $0
NVCC Controller’s Office and Financial Aid Office staff did not adequately reconcile its federal Direct Loan program. For two out of two (100%) reconciliations sampled, each had a reconciling difference. The January 2024 ending cash balance had a reconciling difference of $144,734, and March 2024 had a reconciling difference of $7,692. NVCC management indicated management and staff turnover in the Controller’s Office, a lack of communication between the Controller’s Office and the Financial Aid Office, and the Controller’s Office not drawing down funds on a timely schedule contributed to the reconciling differences identified.
In accordance with 34 CFR § 676.19(b)(2), institutions shall establish and maintain program and fiscal records that are reconciled at least monthly. By not reconciling federal student aid programs properly each month, NVCC increases its risk of not identifying issues and resolving them before they become a systemic problem. Systemic problems may result in potential adverse actions and impact participation in Title IV programs.
The NVCC Financial Aid Office and Controller’s Office should review and enhance their current reconciliation process for federal assistance programs. Management should ensure that staff complete reconciliations properly and timely including addressing reconciling differences
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1)
Known Questioned Costs: $0
Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements:
Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii).
Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii).
Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii).
Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x).
Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii).
Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv).
During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement.
Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements.
Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f)
Known Questioned Costs: $0
Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following:
Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000.
Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions.
As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant.
According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports.
Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-101: Implement Internal Controls over TANF Federal Performance Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-105; 2022-103
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 45 CFR § 265.7(b)
Known Questioned Costs: $0
Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the ACF-199 and ACF-209 performance reports. The ACF requires Social Services to submit this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program.
Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process. Since the prior audit, Benefit Programs has worked with its service provider to analyze the reporting errors to determine the cause and appropriate actions to resolve these errors. However, because of the extent of its corrective actions, Benefit Programs has not fully implemented all of its corrective actions and continues to rely on ACF’s error correction controls, performed after report submission, to obtain assurance over the accuracy of the data included in its submissions.
We audited 60 cases and identified 19 instances (32%) where the third-party service provider did not report key line-item information accurately based on the data Social Services maintains in its case management system or other supporting data and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report on the following key line items:
Benefit Programs did not accurately report on the “Work Participation Status” key line item for 13 out of 60 (22%) cases tested during the audit.
Benefit Programs did not accurately report on the “Receives Subsidized Child Care” key line item for four out of 31 (13%) cases tested during the audit.
Benefit Programs did not accurately report on the “Hours of Participation” key line item for four out of 60 (7%) cases tested during the audit.
Benefit Programs did not accurately report on the “Work Eligibility Individual Indicator” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Number of Months Countable Toward Federal Time Clock” key line item for two out of 56 (4%) cases tested during the audit.
Benefit Programs did not accurately report on the “Type of Family for Work Participation” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Parent with Minor Child” key line item for one out of 56 (2%) cases tested during the audit.
Benefit Programs did not accurately report on the “Unsubsidized Employment” key line item for one out of 60 (2%) cases tested during the audit.
Additionally, because of the lack of internal control over the ACF-199 and ACF-209 federal reports, Benefit Programs did not identify that the ACF revised the reporting specifications in November 2023 for certain key line items. Although ACF provided administering agencies with nearly a year to implement the new reporting specifications, Benefit Programs has not yet initiated discussions with its service provider to bring its current reporting model in line with the new reporting specifications. Therefore, there is risk that Social Services will continue to report inaccurate information to ACF going forward without working with its service provider to implement the new reporting specifications.
Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 303(a) requires that Social Services establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services’ work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not comply with the provisions at 45 CFR § 265.7(b).
Benefit Programs should implement internal controls over the TANF federal performance reporting process and include a documented secondary review process of the service providers’ data for which it should complete prior to the report submission. Additionally, Benefit Programs should develop a process to track changes to the reporting specifications and communicate the changes to the service provider in advance of the applicable implementation date.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure.
Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-103: Monitor Case Management System Records to Ensure Compliance with TANF Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-103
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 8 USC § 1611; 42 USC § 604(a)(1); 42 USC § 608(a)(3); 42 USC § 608(a)(10); 45 CFR § 261.13; 45 CFR § 263.2(b)(2)
Known Questioned Costs: $6,968
Social Services did not comply with certain federal eligibility requirements for the TANF federal grant program, resulting in known questioned costs of $6,968. The TANF federal grant program provided over $89 million in assistance to approximately 26,000 needy families during fiscal year 2024. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 24 instances (<1%) where the facts in the recipient's case record did not support the eligibility determination. Specifically:
For 14 payments, Social Services did not properly evaluate whether individuals were already counted as eligible for TANF benefits under an existing case which allowed these individuals to receive multiple benefit payments in excess of its Standards of Assistance and maximum program benefit amounts. Title 42 United States Code (USC) § 604(a)(1) mandates that a state may use the grant in any manner that is reasonably calculated to accomplish the purpose of TANF where Social Services’ reasonable calculation is defined by its Standard of Assistance and maximum program benefit amounts within its TANF Program Manual.
For five payments, Social Services did not properly assign to the state the rights that the family member may have for child support in which recipients were underpaid in their benefit amount. Title 42 USC § 608(a)(3) mandates that the state shall require that, as a condition of providing assistance, a member of the family assigned to the state the rights the family member may have for support from any other person and this assignment may not exceed the amount of assistance provided by the state.
For one payment, Social Services did not properly evaluate the income eligibility of the case. Title 45 CFR § 263.2(b)(2) defines financially “needy” as financially eligible according to the state’s quantified income and resource criteria, which Social Services quantifies through its TANF Manual as maximum income charts in Section 305, Appendix 1.
For one payment, Social Services did not properly evaluate the extended absence of a child or adult to the case. Title 42 USC § 608(a)(10) mandates that a state shall not use any part of the grant to provide assistance to a minor child who has been absent from the home for a period of 45 consecutive days.
For two payments, Social Services did not properly reduce or terminate assistance for individuals not complying with the Commonwealth’s work requirements for the TANF program. Title 45 CFR § 261.13 mandates that if an individual in a family receiving assistance refuses to engage in required work without good cause, a state must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual refuses or may terminate assistance.
For one payment, Social Services did not properly evaluate the qualified alien status of the case as required by 8 USC § 1611.
Social Services relies on its case management system to properly determine eligibility, correctly calculate benefit payments, and achieve the federal requirements of the TANF federal grant program. Of the exceptions noted above, five of the 24 (21%) were the result of local Social Services eligibility workers mistakenly reporting child support payments as unearned revenue beyond the acceptable timeframe instead of assigning these payments to the Commonwealth for referral to the Division of Child Support Enforcement, as required by the USC. The remaining 19 exceptions (79%) resulted from local Social Services eligibility workers not including sufficient documentation to justify the rationale for their eligibility determinations. Social Services did not identify these exceptions because it did not have a mechanism to identify risky transactions in its case management system that deviate from its normal practices and require further follow-up. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should continue to provide additional training to local Social Services eligibility workers on how to properly determine and document eligibility determinations in its case management system. Additionally, Social Services should consider implementing a data-driven approach to monitor and analyze data from its case management system to identify risky transactions that deviate from its normal practices. By providing additional training and implementing additional risk-based data analytics, Social Services will be able to ensure that the facts in the applicant’s or recipient’s case record supports each decision in its case management system regarding eligibility and complies with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-107; 2022-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards.
While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements.
When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1)
Known Questioned Costs: $0
Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements:
Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii).
Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii).
Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii).
Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x).
Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii).
Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv).
During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement.
Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements.
Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f)
Known Questioned Costs: $0
Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following:
Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000.
Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions.
As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant.
According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports.
Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-101: Implement Internal Controls over TANF Federal Performance Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-105; 2022-103
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 45 CFR § 265.7(b)
Known Questioned Costs: $0
Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the ACF-199 and ACF-209 performance reports. The ACF requires Social Services to submit this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program.
Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process. Since the prior audit, Benefit Programs has worked with its service provider to analyze the reporting errors to determine the cause and appropriate actions to resolve these errors. However, because of the extent of its corrective actions, Benefit Programs has not fully implemented all of its corrective actions and continues to rely on ACF’s error correction controls, performed after report submission, to obtain assurance over the accuracy of the data included in its submissions.
We audited 60 cases and identified 19 instances (32%) where the third-party service provider did not report key line-item information accurately based on the data Social Services maintains in its case management system or other supporting data and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report on the following key line items:
Benefit Programs did not accurately report on the “Work Participation Status” key line item for 13 out of 60 (22%) cases tested during the audit.
Benefit Programs did not accurately report on the “Receives Subsidized Child Care” key line item for four out of 31 (13%) cases tested during the audit.
Benefit Programs did not accurately report on the “Hours of Participation” key line item for four out of 60 (7%) cases tested during the audit.
Benefit Programs did not accurately report on the “Work Eligibility Individual Indicator” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Number of Months Countable Toward Federal Time Clock” key line item for two out of 56 (4%) cases tested during the audit.
Benefit Programs did not accurately report on the “Type of Family for Work Participation” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Parent with Minor Child” key line item for one out of 56 (2%) cases tested during the audit.
Benefit Programs did not accurately report on the “Unsubsidized Employment” key line item for one out of 60 (2%) cases tested during the audit.
Additionally, because of the lack of internal control over the ACF-199 and ACF-209 federal reports, Benefit Programs did not identify that the ACF revised the reporting specifications in November 2023 for certain key line items. Although ACF provided administering agencies with nearly a year to implement the new reporting specifications, Benefit Programs has not yet initiated discussions with its service provider to bring its current reporting model in line with the new reporting specifications. Therefore, there is risk that Social Services will continue to report inaccurate information to ACF going forward without working with its service provider to implement the new reporting specifications.
Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 303(a) requires that Social Services establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services’ work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not comply with the provisions at 45 CFR § 265.7(b).
Benefit Programs should implement internal controls over the TANF federal performance reporting process and include a documented secondary review process of the service providers’ data for which it should complete prior to the report submission. Additionally, Benefit Programs should develop a process to track changes to the reporting specifications and communicate the changes to the service provider in advance of the applicable implementation date.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure.
Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-103: Monitor Case Management System Records to Ensure Compliance with TANF Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-103
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 8 USC § 1611; 42 USC § 604(a)(1); 42 USC § 608(a)(3); 42 USC § 608(a)(10); 45 CFR § 261.13; 45 CFR § 263.2(b)(2)
Known Questioned Costs: $6,968
Social Services did not comply with certain federal eligibility requirements for the TANF federal grant program, resulting in known questioned costs of $6,968. The TANF federal grant program provided over $89 million in assistance to approximately 26,000 needy families during fiscal year 2024. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 24 instances (<1%) where the facts in the recipient's case record did not support the eligibility determination. Specifically:
For 14 payments, Social Services did not properly evaluate whether individuals were already counted as eligible for TANF benefits under an existing case which allowed these individuals to receive multiple benefit payments in excess of its Standards of Assistance and maximum program benefit amounts. Title 42 United States Code (USC) § 604(a)(1) mandates that a state may use the grant in any manner that is reasonably calculated to accomplish the purpose of TANF where Social Services’ reasonable calculation is defined by its Standard of Assistance and maximum program benefit amounts within its TANF Program Manual.
For five payments, Social Services did not properly assign to the state the rights that the family member may have for child support in which recipients were underpaid in their benefit amount. Title 42 USC § 608(a)(3) mandates that the state shall require that, as a condition of providing assistance, a member of the family assigned to the state the rights the family member may have for support from any other person and this assignment may not exceed the amount of assistance provided by the state.
For one payment, Social Services did not properly evaluate the income eligibility of the case. Title 45 CFR § 263.2(b)(2) defines financially “needy” as financially eligible according to the state’s quantified income and resource criteria, which Social Services quantifies through its TANF Manual as maximum income charts in Section 305, Appendix 1.
For one payment, Social Services did not properly evaluate the extended absence of a child or adult to the case. Title 42 USC § 608(a)(10) mandates that a state shall not use any part of the grant to provide assistance to a minor child who has been absent from the home for a period of 45 consecutive days.
For two payments, Social Services did not properly reduce or terminate assistance for individuals not complying with the Commonwealth’s work requirements for the TANF program. Title 45 CFR § 261.13 mandates that if an individual in a family receiving assistance refuses to engage in required work without good cause, a state must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual refuses or may terminate assistance.
For one payment, Social Services did not properly evaluate the qualified alien status of the case as required by 8 USC § 1611.
Social Services relies on its case management system to properly determine eligibility, correctly calculate benefit payments, and achieve the federal requirements of the TANF federal grant program. Of the exceptions noted above, five of the 24 (21%) were the result of local Social Services eligibility workers mistakenly reporting child support payments as unearned revenue beyond the acceptable timeframe instead of assigning these payments to the Commonwealth for referral to the Division of Child Support Enforcement, as required by the USC. The remaining 19 exceptions (79%) resulted from local Social Services eligibility workers not including sufficient documentation to justify the rationale for their eligibility determinations. Social Services did not identify these exceptions because it did not have a mechanism to identify risky transactions in its case management system that deviate from its normal practices and require further follow-up. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should continue to provide additional training to local Social Services eligibility workers on how to properly determine and document eligibility determinations in its case management system. Additionally, Social Services should consider implementing a data-driven approach to monitor and analyze data from its case management system to identify risky transactions that deviate from its normal practices. By providing additional training and implementing additional risk-based data analytics, Social Services will be able to ensure that the facts in the applicant’s or recipient’s case record supports each decision in its case management system regarding eligibility and complies with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-107; 2022-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards.
While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements.
When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a)
Known Questioned Costs: $0
Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need.
Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies:
Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system.
Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system.
Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system.
Benefit Programs could not provide support to substantiate the Weatherization line.
Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c).
Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-105: Monitor Case Management System Records to Ensure Compliance with LIHEAP Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 42 USC § 8624(b)(10)
Known Questioned Costs: $6,569
Social Services did not comply with certain federal eligibility requirements for the LIHEAP federal grant program, resulting in known questioned costs of $6,569. Social Services provided over $114 million in assistance to approximately 215,000 needy families during fiscal year 2024 through the LIHEAP federal grant program. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 12 instances (<1%) where individuals applied for benefits more than once and received benefit payments in excess of Social Services’ maximum benefit amounts.
Social Services relies on its case management system to ensure it determines eligibility properly, calculates benefit payments correctly, and complies with the federal and state laws and regulations. However, Social Services’ case management system does not prevent eligibility workers from authorizing individuals on multiple cases but instead provides a warning message for which they could choose to ignore. Additionally, Social Services does not have a mechanism to detect when an individual has received benefits from multiple cases and/or received benefit payments in excess of its maximum benefit amount.
Title 42 USC § 8624(b)(10) mandates that the State shall provide fiscal control to assure the proper disbursal of and accounting for Federal funds, including procedures for monitoring the assistance provided. Further, Social Services’ Energy Assistance Program Manual, which it developed to comply with 42 USC § 8624(b)(10), stipulates that the eligibility worker will determine whether each adult household member is associated with an existing case number when they apply or reapply for benefits. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should provide additional training to eligibility workers to properly identify individuals who have already applied for and received LIHEAP benefits. Additionally, Social Services should review the case management system’s current warning messages to determine how it can strengthen internal controls so that eligibility workers will not be able to approve cases which could result in this type of error. Finally, Social Services should consider implementing a detective control, such as reviewing payment reports, to identify potential disallowed payments resulting from an individual appearing on multiple case records.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a)
Known Questioned Costs: $0
Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need.
Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies:
Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system.
Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system.
Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system.
Benefit Programs could not provide support to substantiate the Weatherization line.
Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c).
Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-105: Monitor Case Management System Records to Ensure Compliance with LIHEAP Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 42 USC § 8624(b)(10)
Known Questioned Costs: $6,569
Social Services did not comply with certain federal eligibility requirements for the LIHEAP federal grant program, resulting in known questioned costs of $6,569. Social Services provided over $114 million in assistance to approximately 215,000 needy families during fiscal year 2024 through the LIHEAP federal grant program. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 12 instances (<1%) where individuals applied for benefits more than once and received benefit payments in excess of Social Services’ maximum benefit amounts.
Social Services relies on its case management system to ensure it determines eligibility properly, calculates benefit payments correctly, and complies with the federal and state laws and regulations. However, Social Services’ case management system does not prevent eligibility workers from authorizing individuals on multiple cases but instead provides a warning message for which they could choose to ignore. Additionally, Social Services does not have a mechanism to detect when an individual has received benefits from multiple cases and/or received benefit payments in excess of its maximum benefit amount.
Title 42 USC § 8624(b)(10) mandates that the State shall provide fiscal control to assure the proper disbursal of and accounting for Federal funds, including procedures for monitoring the assistance provided. Further, Social Services’ Energy Assistance Program Manual, which it developed to comply with 42 USC § 8624(b)(10), stipulates that the eligibility worker will determine whether each adult household member is associated with an existing case number when they apply or reapply for benefits. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should provide additional training to eligibility workers to properly identify individuals who have already applied for and received LIHEAP benefits. Additionally, Social Services should review the case management system’s current warning messages to determine how it can strengthen internal controls so that eligibility workers will not be able to approve cases which could result in this type of error. Finally, Social Services should consider implementing a detective control, such as reviewing payment reports, to identify potential disallowed payments resulting from an individual appearing on multiple case records.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-010: Obtain, Review, and Document System and Organization Control Reports of Third-Party Service Providers
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-085; 2022-089; 2021-019
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Pandemic EBT Food Benefits - 10.542
Federal Award Number and Year: Not Applicable - 2024
Name of Federal Agency: U.S. Department of Agriculture
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Social Services continues to not obtain, review, and document System and Organization Controls (SOC) reports, specifically SOC 1, Type 2 reports, to gain assurance over its third-party service providers’ internal controls relevant to financial reporting. SOC 1, Type 2 reports address the service organization’s internal controls and the effect those internal controls may have on the user entity’s financial statements. Social Services uses service organizations to perform functions that are significant to its financial operations such as administering the electronic benefit transfer (EBT) process for several of its public assistance programs. For instance, during fiscal year 2024, one of Social Services’ third-party service providers issued more than $2 billion in financial assistance to beneficiaries on EBT cards.
Topic 10305 of the CAPP Manual requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment and maintain oversight over service providers to gain assurance over outsourced operations. Additionally, 2 CFR § 200.303(a) requires non-federal entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Social Services’ tasks contract administrators with responsibility for obtaining, reviewing, and documenting SOC 1, Type 2 reports. However, contract administrators are often not familiar with the CAPP Manual requirements, and Social Services has not made them aware of the expectations for obtaining, reviewing, and documenting SOC 1, Type 2 reports through a documented policy and procedure. As a result, contract administrators have not been obtaining, reviewing, and documenting SOC 1, Type 2 reports.
Without adopting a policy and procedure over SOC 1, Type 2 reports and communicating those expectations to contract administrators, Social Services is unable to ensure its complementary user entity controls are sufficient to support their reliance on the service providers’ control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC 1, Type 2 reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider’s environment by not obtaining the necessary SOC 1, Type 2 reports timely or properly documenting its review of the reports.
Social Services should designate a resource within the agency, who is knowledgeable of the CAPP Manual and SOC 1, Type 2 report requirements, with responsibility for developing an office-wide policy and procedure that contract administrators can use for obtaining, reviewing, and documenting SOC 1, Type 2 reports. At a minimum, Social Services’ policy and procedure should include the timeframes for obtaining SOC 1, Type 2 reports from service providers, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the staff responsible for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Thereafter, Social Services should communicate the policy and procedure to all individuals responsible for overseeing service provider operations to ensure compliance with federal and state regulations. Finally, Social Services should retain this information as part of its annual Agency Risk Management and Internal Control Standard certification.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-090: Improve Reporting to the National Student Loan Data System
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College; Old Dominion University; Radford University; University of Virginia; Virginia State University
Prior Year Finding Number: 2021-078; 2018-101
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 685.309
Known Questioned Costs: $0
The institutions noted below did not properly report accurate and/or timely enrollment data to the Department of Education (ED) using the National Student Loan Data System (NSLDS) in accordance with 34 CFR § 685.309 and the NSLDS Enrollment Guide, for students that had withdrawn, graduated or changed enrollment levels. The accuracy of Title IV enrollment data depends heavily on information reported by institutions. The institutions’ inaccurate and untimely enrollment data submissions to NSLDS can affect ED’s reliance on NSLDS for monitoring purposes and may interfere with establishing a student’s loan status, deferment privileges and grace periods. In addition, noncompliance may also impact an institution’s participation in Title IV programs.
George Mason University
GMU management determined the discrepancies in its enrollment reporting submissions were due to a lack of communication between the Office of the University Registrar and the Office of Student Financial Aid. From our sample of 40 students, we noted the following instances of noncompliance:
GMU reported an inaccurate enrollment status for seven students (18%);
GMU reported an inaccurate enrollment status effective date for nine students (23%);
GMU did not report enrollment status changes timely for seven students (18%);
GMU reported inaccurate information in at least one campus or program-level field deemed critical for nine students (23%); and
GMU did not provide evidence supporting that it reported accurate physical addresses in NSLDS for eight students (20%).
Norfolk State University
NSU management indicated the errors in its enrollment reporting submissions were due to staff turnover in the Office of the Registrar and programming issues within the student information system. From our sample of 39 students, we noted the following instances of noncompliance:
NSU reported an inaccurate enrollment status for six students (15%);
NSU reported an inaccurate enrollment status effective date for 26 students (67%);
NSU did not report enrollment status changes timely for one student (3%); and
NSU reported inaccurate information in at least one campus or program-level field deemed critical for 17 students (44%).
Northern Virginia Community College
A lack of management oversight in NVCC’s Registrar’s Office led to the discrepancies in its enrollment reporting submissions. From our sample of 40 students, we noted the following instances of noncompliance:
NVCC reported an inaccurate enrollment status for ten students (25%);
NVCC reported an inaccurate enrollment status effective date for 12 students (30%);
NVCC did not report enrollment status changes timely for eight students (20%);
NVCC reported inaccurate information in at least one campus or program-level field deemed critical for 14 students (35%); and
NVCC could not demonstrate proper approval for the academic program for one student (3%), since the academic program did not appear on the State Council of Higher Education for Virginia (SCHEV) degree inventory report.
Old Dominion University
ODU management indicated the errors in its enrollment reporting submission were due to staff turnover. From our sample of 50 students, we noted the following instances of noncompliance:
ODU reported an inaccurate enrollment status for nine students (18%);
ODU reported an inaccurate enrollment status effective date for 29 students (58%);
ODU did not report enrollment status changes timely for 15 students (30%); and
ODU reported inaccurate information in at least one campus or program-level field deemed critical for 29 students (58%).
Radford University
The primary cause of the discrepancies in RU’s enrollment reporting submissions was staff turnover and the time required for new staff to become proficient in their responsibilities. From our sample of 43 students, we noted the following instances of noncompliance:
RU reported an inaccurate enrollment status for one student (2%);
RU reported an inaccurate enrollment status effective date for three students (7%);
RU did not report enrollment status changes timely for 10 students (23%);
RU reported inaccurate information in at least one campus or program-level field deemed critical for three students (7%); and
RU could not demonstrate proper approval for the academic program for one student (2%), since the academic program did not appear on the SCHEV degree inventory report.
University of Virginia
The underlying causes for the discrepancies in UVA’s enrollment reporting submissions were data entry errors and batch processing issues. Specifically, UVA recorded a student’s social security number inaccurately in its Student Information System. Additionally, batch enrollment updates caused new data submissions to overwrite previous data, which resulted in deactivated and inaccurate enrollment records. From our review of 40 students, we noted the following instances of noncompliance:
UVA reported an inaccurate enrollment status effective date for four students (10%);
UVA did not report enrollment status changes timely for five students (13%); and
UVA reported inaccurate information in at least one campus or program-level field deemed critical for four students (10%).
Virginia State University
A lack of management oversight in VSU’s enrollment reporting process led to the discrepancies in its enrollment reporting submissions. From our sample of 49 students, we noted the following instances of noncompliance:
VSU reported an inaccurate enrollment status for three students (6%);
VSU reported an inaccurate enrollment status effective date for six students (12%);
VSU did not report enrollment status changes timely for 21 students (43%);
VSU reported inaccurate information in at least one campus or program-level field deemed critical for 10 students (20%);
VSU could not demonstrate proper approval for the academic program for eight students (16%), since the academic program did not appear on the SCHEV degree inventory report; and
The permanent address for two out of 39 applicable federal Direct Loan borrowers (5%) did not agree between the student information system and NSLDS.
Recommendation
Each institution should evaluate its current enrollment reporting procedures and implement corrective action to ensure it reports accurate and timely student enrollment data to NSLDS to prevent future noncompliance. Where applicable, institutions should also consider implementing a quality control review process to monitor the accuracy of campus and program-level batch submissions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-090: Improve Reporting to the National Student Loan Data System
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College; Old Dominion University; Radford University; University of Virginia; Virginia State University
Prior Year Finding Number: 2021-078; 2018-101
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 685.309
Known Questioned Costs: $0
The institutions noted below did not properly report accurate and/or timely enrollment data to the Department of Education (ED) using the National Student Loan Data System (NSLDS) in accordance with 34 CFR § 685.309 and the NSLDS Enrollment Guide, for students that had withdrawn, graduated or changed enrollment levels. The accuracy of Title IV enrollment data depends heavily on information reported by institutions. The institutions’ inaccurate and untimely enrollment data submissions to NSLDS can affect ED’s reliance on NSLDS for monitoring purposes and may interfere with establishing a student’s loan status, deferment privileges and grace periods. In addition, noncompliance may also impact an institution’s participation in Title IV programs.
George Mason University
GMU management determined the discrepancies in its enrollment reporting submissions were due to a lack of communication between the Office of the University Registrar and the Office of Student Financial Aid. From our sample of 40 students, we noted the following instances of noncompliance:
GMU reported an inaccurate enrollment status for seven students (18%);
GMU reported an inaccurate enrollment status effective date for nine students (23%);
GMU did not report enrollment status changes timely for seven students (18%);
GMU reported inaccurate information in at least one campus or program-level field deemed critical for nine students (23%); and
GMU did not provide evidence supporting that it reported accurate physical addresses in NSLDS for eight students (20%).
Norfolk State University
NSU management indicated the errors in its enrollment reporting submissions were due to staff turnover in the Office of the Registrar and programming issues within the student information system. From our sample of 39 students, we noted the following instances of noncompliance:
NSU reported an inaccurate enrollment status for six students (15%);
NSU reported an inaccurate enrollment status effective date for 26 students (67%);
NSU did not report enrollment status changes timely for one student (3%); and
NSU reported inaccurate information in at least one campus or program-level field deemed critical for 17 students (44%).
Northern Virginia Community College
A lack of management oversight in NVCC’s Registrar’s Office led to the discrepancies in its enrollment reporting submissions. From our sample of 40 students, we noted the following instances of noncompliance:
NVCC reported an inaccurate enrollment status for ten students (25%);
NVCC reported an inaccurate enrollment status effective date for 12 students (30%);
NVCC did not report enrollment status changes timely for eight students (20%);
NVCC reported inaccurate information in at least one campus or program-level field deemed critical for 14 students (35%); and
NVCC could not demonstrate proper approval for the academic program for one student (3%), since the academic program did not appear on the State Council of Higher Education for Virginia (SCHEV) degree inventory report.
Old Dominion University
ODU management indicated the errors in its enrollment reporting submission were due to staff turnover. From our sample of 50 students, we noted the following instances of noncompliance:
ODU reported an inaccurate enrollment status for nine students (18%);
ODU reported an inaccurate enrollment status effective date for 29 students (58%);
ODU did not report enrollment status changes timely for 15 students (30%); and
ODU reported inaccurate information in at least one campus or program-level field deemed critical for 29 students (58%).
Radford University
The primary cause of the discrepancies in RU’s enrollment reporting submissions was staff turnover and the time required for new staff to become proficient in their responsibilities. From our sample of 43 students, we noted the following instances of noncompliance:
RU reported an inaccurate enrollment status for one student (2%);
RU reported an inaccurate enrollment status effective date for three students (7%);
RU did not report enrollment status changes timely for 10 students (23%);
RU reported inaccurate information in at least one campus or program-level field deemed critical for three students (7%); and
RU could not demonstrate proper approval for the academic program for one student (2%), since the academic program did not appear on the SCHEV degree inventory report.
University of Virginia
The underlying causes for the discrepancies in UVA’s enrollment reporting submissions were data entry errors and batch processing issues. Specifically, UVA recorded a student’s social security number inaccurately in its Student Information System. Additionally, batch enrollment updates caused new data submissions to overwrite previous data, which resulted in deactivated and inaccurate enrollment records. From our review of 40 students, we noted the following instances of noncompliance:
UVA reported an inaccurate enrollment status effective date for four students (10%);
UVA did not report enrollment status changes timely for five students (13%); and
UVA reported inaccurate information in at least one campus or program-level field deemed critical for four students (10%).
Virginia State University
A lack of management oversight in VSU’s enrollment reporting process led to the discrepancies in its enrollment reporting submissions. From our sample of 49 students, we noted the following instances of noncompliance:
VSU reported an inaccurate enrollment status for three students (6%);
VSU reported an inaccurate enrollment status effective date for six students (12%);
VSU did not report enrollment status changes timely for 21 students (43%);
VSU reported inaccurate information in at least one campus or program-level field deemed critical for 10 students (20%);
VSU could not demonstrate proper approval for the academic program for eight students (16%), since the academic program did not appear on the SCHEV degree inventory report; and
The permanent address for two out of 39 applicable federal Direct Loan borrowers (5%) did not agree between the student information system and NSLDS.
Recommendation
Each institution should evaluate its current enrollment reporting procedures and implement corrective action to ensure it reports accurate and timely student enrollment data to NSLDS to prevent future noncompliance. Where applicable, institutions should also consider implementing a quality control review process to monitor the accuracy of campus and program-level batch submissions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-097: Improve Notification Process for Federal Direct Loan Awards to Students
Applicable to: Norfolk State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.165(a)(2)
Known Questioned Costs: $0
NSU Financial Aid Office staff did not provide proper federal Direct Loan notification for one of 25 (4%) borrowers. The Financial Aid Office manually enters data into the student information system which transmits the required notifications to borrowers. However, a staff member assigned to send notifications was out of the office and the Financial Aid Office did not have a designated back-up.
In accordance with 34 CFR § 668.165(a)(2), institutions should properly notify students receiving federal Direct Loans, in writing, of the date and amount of the disbursement, the student’s right to cancel all or a portion of a loan or loan disbursement, and the procedure and time by which the student must notify the institution that he or she wishes to cancel the loan. Additionally, 34 CFR § 668.165 (3) (i – ii) indicates that for Direct Loans, the institution must provide the notice in writing no earlier than 30 days before, and no later than 30 days after, crediting the student’s account at the institution if the institution obtains affirmative confirmation, and no later than seven days if the institution does not obtain an affirmative confirmation.
Not properly notifying students in accordance with federal regulations may result in adverse actions and impact participation in Title IV programs. Additionally, improper notification could limit the amount of time a student or parent has to make an informed decision on whether to accept or reject a loan. The Financial Aid Office should revise its existing procedures to cross train staff, thus providing for proper back-up when staff are absent. NSU management should ensure each federal Direct Loan borrower receives the required notification.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-099: Reconcile Federal Assistance Programs
Applicable to: Northern Virginia Community College
Prior Year Finding Number: 2021-073
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Cash Management - 34 CFR § 676.19(b)(2)
Known Questioned Costs: $0
NVCC Controller’s Office and Financial Aid Office staff did not adequately reconcile its federal Direct Loan program. For two out of two (100%) reconciliations sampled, each had a reconciling difference. The January 2024 ending cash balance had a reconciling difference of $144,734, and March 2024 had a reconciling difference of $7,692. NVCC management indicated management and staff turnover in the Controller’s Office, a lack of communication between the Controller’s Office and the Financial Aid Office, and the Controller’s Office not drawing down funds on a timely schedule contributed to the reconciling differences identified.
In accordance with 34 CFR § 676.19(b)(2), institutions shall establish and maintain program and fiscal records that are reconciled at least monthly. By not reconciling federal student aid programs properly each month, NVCC increases its risk of not identifying issues and resolving them before they become a systemic problem. Systemic problems may result in potential adverse actions and impact participation in Title IV programs.
The NVCC Financial Aid Office and Controller’s Office should review and enhance their current reconciliation process for federal assistance programs. Management should ensure that staff complete reconciliations properly and timely including addressing reconciling differences
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security
Applicable to: Department of Education - Direct Aid to Public Education
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management; Audit and Accountability
ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data.
The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-088: Implement Information Security Program Requirements for the Gramm-Leach-Bliley Act
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 16 CFR § 314.3-4
Known Questioned Costs: $0
Northern Virginia Community College (NVCC) does not comply with certain elements of the Gramm-Leach Bliley Act (GLBA) related to its information security program. Public Law 106-102, known as GLBA, considers institutions of higher education to be financial institutions because of their engagement in financial assistance programs. Related regulations at Title 16 Code of Federal Regulations (CFR) § 314.3 and 16 CFR § 314.4 require organizations to develop, implement, and maintain the information security program to safeguard customer information. Specifically, NVCC does not comply with the following GLBA requirements:
NVCC’s written information security program states the college will fully vet any third-party service provider who requires access to personal information and the college stated it uses an external vendor for the vetting process. However, NVCC does not have procedures for how it interacts with and uses the final reports from the external vendor to oversee its third-party service providers. GLBA requires organizations to oversee service providers by periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. Additionally, GLBA requires organizations to document procedures for evaluating, assessing, or testing the security of externally developed applications utilized for transmitting, accessing, or storing customer information. Not formally developing procedures to periodically assess its service providers could result in unaddressed vulnerabilities, which may result in the compromise of NVCC’s sensitive information and data.
NVCC does not have a written procedure to conduct a periodic inventory of data. GLBA requires the college to include as part of its written information security program a requirement for identifying and managing data, staff, devices, systems, and facilities that enable it to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. Without a written procedure to periodically conduct an inventory of data, NVCC increases the risk that it may misplace or improperly account for data within its systems, which could result in the lack of appropriate security controls and the compromise of NVCC’s confidential data.
NVCC does not have a written policy and procedure for monitoring data retention periods. Without such a policy and procedure, NVCC may not consistently, timely, or securely dispose of customer data at the end of their retention periods. GLBA requires organizations to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection to the customer, unless such information is necessary for business operations or for other legitimate business purposes. Without a written policy and procedure to monitor data retention periods and secure disposal methods, NVCC cannot verify that its staff is using appropriate methods to dispose of customer data in a timely manner.
NVCC’s recent transition to new applications and external service providers contributed to the college not having current policies and procedures for the elements described above. NVCC should dedicate the necessary resources to develop the policies and procedures needed to support its information security program to ensure that it includes all elements required by GLBA. Completing the requirements outlined by GLBA will assist NVCC in evaluating its information security program and protecting the confidentiality, integrity, and availability of customer information within its environment.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e)
Known Questioned Costs: $0
NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties.
In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege.
NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-091: Properly Identify Title IV Withdrawals
Applicable to: George Mason University; Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22(j)(2)
Known Questioned Costs: $0
The institutions noted below did not identify Title IV withdrawals timely. In accordance with 34 CFR § 668.22(j)(2) and Volume 5 of the federal Student Financial Aid Handbook, for institutions that are not required to take attendance, an institution must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (i) payment period or period of enrollment; (ii) academic year in which the student withdrew; or (iii) the educational program from which the student withdrew. By not identifying students who withdraw timely, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions impacting the institutions’ participation in Title IV programs.
George Mason University
For two of 25 students (8%), GMU did not timely identify the students requiring a return of Title IV calculation. GMU management indicated the delays in the fall 2023 and summer 2024 terms were due to a combination of issues including the timing constraints of waiting on the posting of grades following a scheduled holiday break and delays in submitting disbursement records through the federal Common Origination and Disbursement System (COD).
Norfolk State University
For six of 25 students (24%), NSU did not timely identify all students requiring a return of Title IV calculation timely. At the end of the spring 2024 term, a turnover in Registrar Office management contributed to the dissemination of inaccurate withdrawal information to the Financial Aid Office. As a result, the Financial Aid Office experienced delays in identifying students requiring a return of Title IV calculation due to the initial inaccuracies.
Northern Virginia Community College
For three of 25 students (12%), Northern Virginia did not identify students requiring a return of Title IV calculation timely. NVCC management stated that the Financial Aid Office delays resulted from instructors waiting to confirm attendance after the spring 2024 term concluded.
Recommendation
Each institution should implement necessary corrective actions to timely identify students receiving Title IV aid that have withdrawn.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-092: Properly Perform Return of Title IV Calculations
Applicable to: Norfolk State University; Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.22
Known Questioned Costs: $0
The institutions noted below did not perform the return of Title IV calculation in accordance with 34 CFR § 668.22 and Volume 5 of the federal Student Financial Aid Handbook. When a recipient of Title IV grant or loan assistance withdraws from an institution during a period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student's withdrawal date. The total number of calendar days in a payment period includes all days within the period that the student completed, excluding scheduled breaks of at least five consecutive days. By not performing accurate return of Title IV calculations, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
NSU management indicated staff did not follow established written policies and procedures and did not properly set up the academic periods in the student information system. As a result, we noted the following instances of noncompliance:
For one of 25 students (4%) tested, the Financial Aid Office staff incorrectly returned direct loans totaling $1,732 to ED after determining the student earned the funds.
For two of 25 students (8%) tested, the Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded scheduled break days from the calculations resulting in underpayments of Pell grants to ED totaling $241.
Northern Virginia Community College
NVCC management indicated that the errors in the fall 2023 term resulted from staff not updating the system with the correct holiday information. In two of two students (100%), reviewed for the fall term, NVCC Financial Aid Office staff did not perform the return calculation in accordance with federal regulations because the staff inappropriately excluded break days from the calculations resulting in underpayments to ED totaling $41.
Recommendation
Each institution should properly train staff on the written policies and procedures for setting up term information in the student information system and performing the return of Title IV calculation accurately. Further, institution management should ensure staff correctly enter the scheduled breaks into the student information system to prevent future noncompliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-093: Promptly Return Unearned Title IV Funds to Department of Education
Applicable to: Norfolk State University; Northern Virginia Community College; Old Dominion University
Prior Year Finding Number: 2021-077
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.21(b)
Known Questioned Costs: $0
The following institutions did not return Title IV unearned funds in accordance with required timeframe in 34 CFR § 668.21(b) and Volume 5 of the federal Student Financial Aid Handbook. Each institution must return unearned funds for which it is responsible as soon as possible, but no later than 45 days after the date that the institution becomes aware that a student has withdrawn. By not returning funds in a timely manner, the institutions are not in compliance with federal requirements and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
Norfolk State University
For five of 18 students (28%), the date of return of unearned funds was greater than 45 days after the date of determination. Staff turnover in the Financial Aid Office was the primary cause of the delay in returning the funds.
Northern Virginia Community College
For one of 11 students (9%) tested, NVCC Financial Aid Office staff did not return unearned funds to ED for five months. A lack of communication between the Controller’s Office and the Financial Aid Office coupled with staff turnover in the Controller’s Office contributed to the delay in returning the funds.
Old Dominion University
ODU management indicated a lack of effective processes to ensure compliance with reporting requirements contributed to delays in returning the funds. For ten of 17 students (59%) tested, the net portion of the Direct Loan was not returned within the required timeframe resulting in $325 in unreturned federal aid.
Recommendation
Each institution should implement necessary corrective actions to ensure that it returns unearned Title IV funds to ED within the required timeframe. In addition, the institutions should train staff on the federal requirements to ensure compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-094: Properly Complete Federal Verification Prior to Disbursing Title IV Aid
Applicable to: George Mason University; Norfolk State University; Old Dominion University; Virginia Polytechnic Inst. and State University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.54-57
Known Questioned Costs: $0
The institutions noted below did not properly complete student verification prior to disbursing Title IV aid. In accordance with 34 CFR § 668.54 through 34 CFR § 668.57, an institution must require an applicant, whose Free Application for Federal Student Aid (FAFSA) information has been selected for verification, to verify the information selected by ED. Federal Register 87 F.R. 40826 outlines the 2023 - 2024 Award Year FAFSA information ED requires to be verified and the acceptable documentation by Verification Tracking Flag and Verification Tracking Group. Further, in accordance with ED Electronic Announcement GRANTS 24-04, published on April 12, 2024, institutions are required to verify all recipients selected for verification by ED’s Central Processing System (CPS) unless a recipient is exempt from verification in accordance with the exclusions from verification provided for in the regulations at 34 CFR § 668.54(b). By not performing or improperly performing the necessary verification, institutions may provide financial aid disbursements to students based upon inaccurate information and may be subject to potential adverse actions affecting the institutions’ participation in Title IV programs.
George Mason University
GMU management indicated staff did not follow written verification policies and procedures which resulted in the errors. We noted the following instances of noncompliance:
For one of seven (14%) students flagged for verification, the GMU Office of Student Financial Aid staff did not match the income tax paid from the FAFSA to the student information system prior to awarding Title IV aid totaling $8,189.
For one of 25 (4%) students tested for verification, the GMU Office of Student Financial Aid staff did not match the student’s adjusted gross income from the FAFSA to the student information system prior to awarding Title IV aid totaling $11,796.
Norfolk State University
NSU management indicated staff did not follow written verification policies and procedures, which resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the number of family members in the household resulting in the student not receiving a Pell grant of $4,245.
For one of 25 students (4%) tested, the NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in the student receiving an over award of a Pell grant of $675.
For one of 25 students (4%) tested, NSU Financial Aid Office staff inaccurately verified the adjusted gross income resulting in no impact to the student.
Old Dominion University
ODU management indicated staff turnover in the financial aid office resulted in the errors. We noted the following instances of noncompliance:
For one of 25 students (4%) tested, ODU Financial Aid Office staff did not request or obtain appropriate documentation to verify the application data prior to awarding Title IV aid totaling $9,479.
For one of 25 students tested (4%), ODU Financial Aid Office staff used incorrect documentation while completing the verification. The student received Title IV aid totaling $12,967.
For one of two students tested (50%), ODU Financial Aid Office staff did not match the information on the FAFSA to the requested information prior to awarding the student Title IV aid totaling $6,234.
Virginia Tech
VT management indicated a combination of factors including an error by the third-party vendor and an internal error in the computer logic that assigns students to specific tracking groups for required follow-up contributed to the errors. We noted the following instances of noncompliance:
For two out of 33 (6%) students flagged for verification, the VT Office of University Scholarship and Financial Aid staff did not request or obtain appropriate documentation to verify applications prior to awarding Title IV aid totaling $11,877.
For one of twenty-five (4%) students tested, the third-party vendor verified an incorrect amount for the Education Tax Credit.
Recommendation
Each institution should ensure staff are knowledgeable of its written policies and procedures. Institution management should implement corrective action to prevent future noncompliance and should consider implementing a quality control review to ensure that staff obtain, review, and retain acceptable documentation for audit purposes.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-095: Promptly Return Unclaimed Aid to the Department of Education
Applicable to: Northern Virginia Community College; Old Dominion University; Radford University
Prior Year Finding Number: 2021-075
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(I)
Known Questioned Costs: $0
The institutions noted below did not return unclaimed Title IV aid timely. In accordance with 34 CFR § 668.164(I), If an institution attempts to disburse funds by check and the recipient does not cash the check, the institution must return the funds no later than 240 days after the date it issued that check or no later than 45 days after a rejected electronic funds transfer (EFT). By not returning funds timely, the institutions may be subject to potential adverse actions affecting participation in Title IV aid programs.
Northern Virginia Community College
For 11 out of 87 (13%) sampled, NVCC Controller’s Office staff did not return a total of $3,296 timely. Incorrectly placed holds on Title IV credit balances and staff turnover in the NVCC Controller’s Office contributed to the untimely return of funds.
Old Dominion University
For four out of 17 (24%) students sampled, ODU Bursar’s Office staff did not return a total of $8,776 timely. A lack of effective processes to ensure compliance with the requirements contributed to the untimely return of funds.
Radford University
Upon review of the outstanding check list as of June 30, 2024, we noted one student refund totaling $1,486, which RU staff did not return timely. RU management indicated staff turnover contributed to the untimely return of funds.
Recommendation
Each institution should ensure staff responsible for tracking unclaimed student financial aid have a thorough understanding of the federal requirements. If the institution is unable to contact the federal aid recipient, and the check remains uncashed or the banking institution rejects the EFT, the institution should return the unclaimed funds to ED within the required timeframe.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-096: Improve Reporting to the Common Origination and Disbursement System
Applicable to: James Madison University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 668.164(a)
Known Questioned Costs: $0
JMU’s Office of Financial Aid and Scholarships staff did not report accurate and/or timely disbursements to COD. JMU management indicated the errors were due to a combination of factors including staff selecting an incorrect disbursement date in the student information system when sending disbursement information to COD for one batch in January 2024 and staff delaying the reporting of disbursement information to COD for another batch in January 2024. JMU indicated the new FAFSA form resulted in additional pressure on financial aid staff during this time. We noted the following instances of noncompliance:
For three of 40 students (8%), staff did not report the correct disbursement dates in COD.
In one of forty students (3%), staff did not report the disbursement timely.
In accordance with 88 F.R. 41092, published on June 23, 2023, an institution must submit federal Pell Grant and Direct Loan disbursement records accurately and no later than 15 days after making the disbursement and no earlier than seven days prior to the disbursement date or becoming aware of the need to adjust a student’s previously reported disbursement. In accordance with 34 CFR § 668.164(a), Title IV funds are disbursed on the date that the institution (a)credits those funds to the student’s account in the institution’s general ledger or any subledger of the general ledger, or (b) pays those funds to the student directly. ED considers Title IV funds disbursed even if the institution uses its own funds in advance of receiving program funds from ED.
If an institution does not submit accurate disbursement records within the required timeframe, it may result in ED rejecting all or part of the reported disbursement. Improper reporting may result in an audit or program review finding or the initiation of an adverse action, such as a fine or other penalty. JMU should review its current policies and procedures for submitting disbursement records and implement corrective action to ensure future compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-098: Promptly Disburse Credit Balances to Students
Applicable to: Norfolk State University; Old Dominion University
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Special Tests and Provisions - 34 CFR § 668.164(d)(1)(i)(a)(ii)(a); 34 CFR § 668.164(h)(2)(i)(ii)
Known Questioned Costs: $0
The institutions noted below did not provide timely refunds to students after posting disbursements. In accordance with 34 CFR § 668.164(d)(1)(i)(a)(ii)(a) and 34 CFR § 668.164(h)(2)(i)(ii), a school may pay a credit balance by initiating an EFT to a bank account the student or parent designates. A school that is paying a student his or her credit balance with a direct disbursement must pay the student within 14 days or be able to provide payment to the student upon demand within 14 days of crediting the student’s account. Regardless of the method used, a school must disburse the credit balance within the regulatory time frame. By not disbursing the funds timely, the institutions may be subject to potential adverse actions that may affect participation in Title IV aid programs.
Norfolk State University
For two of 17 (12%) students, NSU Bursar’s Office staff refunded credit balances up to 26 days after each student received credit on their student account. NSU management indicated staff shortages, training new staff, and processing a large volume of refunds at the beginning of a term contributed to the delay in refunding the students.
Old Dominion University
For two of 20 (10%) students, ODU Bursar’s Office staff refunded credit balances up to 51 days after each student received credit on their student account. ODU management indicated staff shortages and manual processing contributed to the delay in refunding the students.
Recommendation
Each institution should take necessary corrective actions to disburse credit balances to students timely, thus ensuring disbursement of Title IV aid aligns with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-100: Ensure an Accurate Fiscal Operations Report and Application to Participate (FISAP) is Submitted to the Department of Education
Applicable to: Northern Virginia Community College
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Student Financial Assistance Cluster
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Education
Type of Compliance Requirement - Criteria: Reporting - 34 CFR § 675.19 (b)(3); 34 CFR § 676.19 (b)(3)
Known Questioned Costs: $0
NVCC inaccurately reported two fields on the college’s FISAP. NVCC overstated its enrollment by 17,562 students in Field 7 and overstated tuition and fees by $6,799,023 in Section II, Field 22. A lack of management oversight and a misunderstanding of the Virginia Community College System report that includes tuition and fees and additional revenue sources contributed to the reporting errors.
In accordance with 34 CFR § 675.19 (b)(3) and 34 CFR § 676.19(b)(3), each year, an institution shall submit a FISAP plus other information ED requires. The institution shall report accurate information on the form and submit it at the time ED specifies. The FISAP instructions provided by ED further inform institutions of what to report in Section II, Fields 7 and 22. Per this guidance, dual-enrolled high school students should be excluded from the enrollment total, and institutions should exclude tuition and fee revenue collected from individuals not meeting the description of an enrolled student.
Inaccurately reporting FISAP information provides ED with inaccurate information from which to make funding decisions. NVCC management should enhance policies and procedures and train staff on the FISAP instructions to ensure the college reports the proper amounts on the FISAP.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-072: Strengthen Controls over Procurement
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR § 200.317
Known Questioned Costs: $0
Epidemiology is not compiling and retaining a comprehensive contract listing for all procured and active contracts funded by the ELC federal grant program. Management was unable to provide the comprehensive contract listing due to not properly maintaining the documentation.
Title 2 CFR § 200.317 governs procurements by states and requires that “when procuring property and services under a Federal award, a State must follow the same policies and procedures it uses for procurements from its non-Federal funds.” Department of General Services Agency Procurement and Surplus Property Manual (APSPM) - Section 10.3 requires agencies to maintain a complete file in one place for each purchase transaction. It states that the file must contain, at a minimum, as applicable, the description of requirements, sources solicited, a copy of the Virginia Business Opportunities receipt, cancellation notices, the method of evaluation and award, a signed copy of the contract or purchase order, contractor performance report submitted by the administrator, modifications or change orders, vendor complaint forms, cure letters, usage data such as release or obligation registers, and any other actions relating to the procurement. In addition, APSPM Annex 10-A, which is a Post Award Administration Checklist, requires the agency to list the contract on the agency’s master contract list or schedule to include period of performance and any renewal option(s) to allow for the planning of renewal or rebidding actions.
Health's individual offices or Local Health Districts (LHD) complete procurements for the ELC federal grant program up to $100,000, with procurements over $10,000 and up to $100,000 being solicited through a “quick quote.” Health’s Office of Procurement and General Services handles complex procurements. Since Health has 35 LHDs, the absence of a comprehensive contract listing increases the risk of a contract being established by an LHD that goes unnoticed by Epidemiology. Due to limited staff and the number of health offices and LHDs involved in the procurement process, Epidemiology was unable to provide a comprehensive contract listing. By not maintaining proper documentation and support, Health is unable to ensure the effectiveness of internal controls. Furthermore, it is difficult to substantiate the legitimacy of the procurement transaction, increasing the risk of unauthorized transactions, which also increases the potential for questioned costs.
Health’s management should develop a policy requiring the compilation of comprehensive contract listings and communicate the policy to the applicable offices and districts. Health’s management should also ensure that the applicable offices and districts involved have adequate staffing and training on contract procurement and the need to maintain adequate documentation for all procurements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d)
Known Questioned Costs: $0
Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse).
Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings.
OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-107: Strengthen Controls over FFATA Reporting
Applicable to: Department of Health
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391
Federal Award Number and Year: Various - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Health is not completing Federal Funding Accountability and Transparency Act (FFATA) reporting for the ELC and STLT federal grant programs. During our audit, we found that Epidemiology and OHE did not complete FFATA reporting submissions for subrecipients who received $30,000 or more in ELC and STLT funds.
During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. Title 2 CFR Part 170 Appendix A, included in award documents signed by management, requires Health to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System (FSRS). Health’s FFATA reporting policy, which Health last updated in 2014, states that all offices and districts that are recipients of federal grants and contracts shall adhere to all requirements of the FFATA and ensure timely and accurate reporting.
Epidemiology and OHE have experienced turnover in key positions that were historically responsible for completing and submitting FFATA reports. In addition, OFM did not have a procedure in place to detect subawards that it should have reported to FSRS. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how Health is obligating federal funds.
Epidemiology and OHE should ensure program personnel adhere to Health policies and procedures and fulfill FFATA reporting responsibilities by submitting required FFATA subaward reporting information by the due date and retaining documentation to support the submissions. Additionally, OFM should update and communicate the FFATA reporting policy to applicable offices and districts. Further, OFM should periodically analyze subaward records to determine if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, OFM should collect this information from the applicable program personnel promptly to comply with the FFATA reporting requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1)
Known Questioned Costs: $0
Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements:
Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii).
Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii).
Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii).
Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x).
Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii).
Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv).
During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement.
Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements.
Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f)
Known Questioned Costs: $0
Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following:
Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000.
Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions.
As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant.
According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports.
Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-101: Implement Internal Controls over TANF Federal Performance Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-105; 2022-103
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 45 CFR § 265.7(b)
Known Questioned Costs: $0
Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the ACF-199 and ACF-209 performance reports. The ACF requires Social Services to submit this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program.
Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process. Since the prior audit, Benefit Programs has worked with its service provider to analyze the reporting errors to determine the cause and appropriate actions to resolve these errors. However, because of the extent of its corrective actions, Benefit Programs has not fully implemented all of its corrective actions and continues to rely on ACF’s error correction controls, performed after report submission, to obtain assurance over the accuracy of the data included in its submissions.
We audited 60 cases and identified 19 instances (32%) where the third-party service provider did not report key line-item information accurately based on the data Social Services maintains in its case management system or other supporting data and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report on the following key line items:
Benefit Programs did not accurately report on the “Work Participation Status” key line item for 13 out of 60 (22%) cases tested during the audit.
Benefit Programs did not accurately report on the “Receives Subsidized Child Care” key line item for four out of 31 (13%) cases tested during the audit.
Benefit Programs did not accurately report on the “Hours of Participation” key line item for four out of 60 (7%) cases tested during the audit.
Benefit Programs did not accurately report on the “Work Eligibility Individual Indicator” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Number of Months Countable Toward Federal Time Clock” key line item for two out of 56 (4%) cases tested during the audit.
Benefit Programs did not accurately report on the “Type of Family for Work Participation” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Parent with Minor Child” key line item for one out of 56 (2%) cases tested during the audit.
Benefit Programs did not accurately report on the “Unsubsidized Employment” key line item for one out of 60 (2%) cases tested during the audit.
Additionally, because of the lack of internal control over the ACF-199 and ACF-209 federal reports, Benefit Programs did not identify that the ACF revised the reporting specifications in November 2023 for certain key line items. Although ACF provided administering agencies with nearly a year to implement the new reporting specifications, Benefit Programs has not yet initiated discussions with its service provider to bring its current reporting model in line with the new reporting specifications. Therefore, there is risk that Social Services will continue to report inaccurate information to ACF going forward without working with its service provider to implement the new reporting specifications.
Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 303(a) requires that Social Services establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services’ work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not comply with the provisions at 45 CFR § 265.7(b).
Benefit Programs should implement internal controls over the TANF federal performance reporting process and include a documented secondary review process of the service providers’ data for which it should complete prior to the report submission. Additionally, Benefit Programs should develop a process to track changes to the reporting specifications and communicate the changes to the service provider in advance of the applicable implementation date.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure.
Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-103: Monitor Case Management System Records to Ensure Compliance with TANF Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-103
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 8 USC § 1611; 42 USC § 604(a)(1); 42 USC § 608(a)(3); 42 USC § 608(a)(10); 45 CFR § 261.13; 45 CFR § 263.2(b)(2)
Known Questioned Costs: $6,968
Social Services did not comply with certain federal eligibility requirements for the TANF federal grant program, resulting in known questioned costs of $6,968. The TANF federal grant program provided over $89 million in assistance to approximately 26,000 needy families during fiscal year 2024. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 24 instances (<1%) where the facts in the recipient's case record did not support the eligibility determination. Specifically:
For 14 payments, Social Services did not properly evaluate whether individuals were already counted as eligible for TANF benefits under an existing case which allowed these individuals to receive multiple benefit payments in excess of its Standards of Assistance and maximum program benefit amounts. Title 42 United States Code (USC) § 604(a)(1) mandates that a state may use the grant in any manner that is reasonably calculated to accomplish the purpose of TANF where Social Services’ reasonable calculation is defined by its Standard of Assistance and maximum program benefit amounts within its TANF Program Manual.
For five payments, Social Services did not properly assign to the state the rights that the family member may have for child support in which recipients were underpaid in their benefit amount. Title 42 USC § 608(a)(3) mandates that the state shall require that, as a condition of providing assistance, a member of the family assigned to the state the rights the family member may have for support from any other person and this assignment may not exceed the amount of assistance provided by the state.
For one payment, Social Services did not properly evaluate the income eligibility of the case. Title 45 CFR § 263.2(b)(2) defines financially “needy” as financially eligible according to the state’s quantified income and resource criteria, which Social Services quantifies through its TANF Manual as maximum income charts in Section 305, Appendix 1.
For one payment, Social Services did not properly evaluate the extended absence of a child or adult to the case. Title 42 USC § 608(a)(10) mandates that a state shall not use any part of the grant to provide assistance to a minor child who has been absent from the home for a period of 45 consecutive days.
For two payments, Social Services did not properly reduce or terminate assistance for individuals not complying with the Commonwealth’s work requirements for the TANF program. Title 45 CFR § 261.13 mandates that if an individual in a family receiving assistance refuses to engage in required work without good cause, a state must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual refuses or may terminate assistance.
For one payment, Social Services did not properly evaluate the qualified alien status of the case as required by 8 USC § 1611.
Social Services relies on its case management system to properly determine eligibility, correctly calculate benefit payments, and achieve the federal requirements of the TANF federal grant program. Of the exceptions noted above, five of the 24 (21%) were the result of local Social Services eligibility workers mistakenly reporting child support payments as unearned revenue beyond the acceptable timeframe instead of assigning these payments to the Commonwealth for referral to the Division of Child Support Enforcement, as required by the USC. The remaining 19 exceptions (79%) resulted from local Social Services eligibility workers not including sufficient documentation to justify the rationale for their eligibility determinations. Social Services did not identify these exceptions because it did not have a mechanism to identify risky transactions in its case management system that deviate from its normal practices and require further follow-up. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should continue to provide additional training to local Social Services eligibility workers on how to properly determine and document eligibility determinations in its case management system. Additionally, Social Services should consider implementing a data-driven approach to monitor and analyze data from its case management system to identify risky transactions that deviate from its normal practices. By providing additional training and implementing additional risk-based data analytics, Social Services will be able to ensure that the facts in the applicant’s or recipient’s case record supports each decision in its case management system regarding eligibility and complies with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-107; 2022-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards.
While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements.
When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1)
Known Questioned Costs: $0
Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements:
Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv).
Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii).
Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii).
Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii).
Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii).
Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x).
Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi).
Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii).
Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv).
During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement.
Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements.
Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f)
Known Questioned Costs: $0
Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following:
Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000.
Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions.
As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant.
According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports.
Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-101: Implement Internal Controls over TANF Federal Performance Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-105; 2022-103
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 45 CFR § 265.7(b)
Known Questioned Costs: $0
Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the ACF-199 and ACF-209 performance reports. The ACF requires Social Services to submit this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program.
Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process. Since the prior audit, Benefit Programs has worked with its service provider to analyze the reporting errors to determine the cause and appropriate actions to resolve these errors. However, because of the extent of its corrective actions, Benefit Programs has not fully implemented all of its corrective actions and continues to rely on ACF’s error correction controls, performed after report submission, to obtain assurance over the accuracy of the data included in its submissions.
We audited 60 cases and identified 19 instances (32%) where the third-party service provider did not report key line-item information accurately based on the data Social Services maintains in its case management system or other supporting data and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report on the following key line items:
Benefit Programs did not accurately report on the “Work Participation Status” key line item for 13 out of 60 (22%) cases tested during the audit.
Benefit Programs did not accurately report on the “Receives Subsidized Child Care” key line item for four out of 31 (13%) cases tested during the audit.
Benefit Programs did not accurately report on the “Hours of Participation” key line item for four out of 60 (7%) cases tested during the audit.
Benefit Programs did not accurately report on the “Work Eligibility Individual Indicator” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Number of Months Countable Toward Federal Time Clock” key line item for two out of 56 (4%) cases tested during the audit.
Benefit Programs did not accurately report on the “Type of Family for Work Participation” key line item for two out of 60 (3%) cases tested during the audit.
Benefit Programs did not accurately report on the “Parent with Minor Child” key line item for one out of 56 (2%) cases tested during the audit.
Benefit Programs did not accurately report on the “Unsubsidized Employment” key line item for one out of 60 (2%) cases tested during the audit.
Additionally, because of the lack of internal control over the ACF-199 and ACF-209 federal reports, Benefit Programs did not identify that the ACF revised the reporting specifications in November 2023 for certain key line items. Although ACF provided administering agencies with nearly a year to implement the new reporting specifications, Benefit Programs has not yet initiated discussions with its service provider to bring its current reporting model in line with the new reporting specifications. Therefore, there is risk that Social Services will continue to report inaccurate information to ACF going forward without working with its service provider to implement the new reporting specifications.
Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 303(a) requires that Social Services establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services’ work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not comply with the provisions at 45 CFR § 265.7(b).
Benefit Programs should implement internal controls over the TANF federal performance reporting process and include a documented secondary review process of the service providers’ data for which it should complete prior to the report submission. Additionally, Benefit Programs should develop a process to track changes to the reporting specifications and communicate the changes to the service provider in advance of the applicable implementation date.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure.
Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-103: Monitor Case Management System Records to Ensure Compliance with TANF Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-103
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 8 USC § 1611; 42 USC § 604(a)(1); 42 USC § 608(a)(3); 42 USC § 608(a)(10); 45 CFR § 261.13; 45 CFR § 263.2(b)(2)
Known Questioned Costs: $6,968
Social Services did not comply with certain federal eligibility requirements for the TANF federal grant program, resulting in known questioned costs of $6,968. The TANF federal grant program provided over $89 million in assistance to approximately 26,000 needy families during fiscal year 2024. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 24 instances (<1%) where the facts in the recipient's case record did not support the eligibility determination. Specifically:
For 14 payments, Social Services did not properly evaluate whether individuals were already counted as eligible for TANF benefits under an existing case which allowed these individuals to receive multiple benefit payments in excess of its Standards of Assistance and maximum program benefit amounts. Title 42 United States Code (USC) § 604(a)(1) mandates that a state may use the grant in any manner that is reasonably calculated to accomplish the purpose of TANF where Social Services’ reasonable calculation is defined by its Standard of Assistance and maximum program benefit amounts within its TANF Program Manual.
For five payments, Social Services did not properly assign to the state the rights that the family member may have for child support in which recipients were underpaid in their benefit amount. Title 42 USC § 608(a)(3) mandates that the state shall require that, as a condition of providing assistance, a member of the family assigned to the state the rights the family member may have for support from any other person and this assignment may not exceed the amount of assistance provided by the state.
For one payment, Social Services did not properly evaluate the income eligibility of the case. Title 45 CFR § 263.2(b)(2) defines financially “needy” as financially eligible according to the state’s quantified income and resource criteria, which Social Services quantifies through its TANF Manual as maximum income charts in Section 305, Appendix 1.
For one payment, Social Services did not properly evaluate the extended absence of a child or adult to the case. Title 42 USC § 608(a)(10) mandates that a state shall not use any part of the grant to provide assistance to a minor child who has been absent from the home for a period of 45 consecutive days.
For two payments, Social Services did not properly reduce or terminate assistance for individuals not complying with the Commonwealth’s work requirements for the TANF program. Title 45 CFR § 261.13 mandates that if an individual in a family receiving assistance refuses to engage in required work without good cause, a state must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual refuses or may terminate assistance.
For one payment, Social Services did not properly evaluate the qualified alien status of the case as required by 8 USC § 1611.
Social Services relies on its case management system to properly determine eligibility, correctly calculate benefit payments, and achieve the federal requirements of the TANF federal grant program. Of the exceptions noted above, five of the 24 (21%) were the result of local Social Services eligibility workers mistakenly reporting child support payments as unearned revenue beyond the acceptable timeframe instead of assigning these payments to the Commonwealth for referral to the Division of Child Support Enforcement, as required by the USC. The remaining 19 exceptions (79%) resulted from local Social Services eligibility workers not including sufficient documentation to justify the rationale for their eligibility determinations. Social Services did not identify these exceptions because it did not have a mechanism to identify risky transactions in its case management system that deviate from its normal practices and require further follow-up. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should continue to provide additional training to local Social Services eligibility workers on how to properly determine and document eligibility determinations in its case management system. Additionally, Social Services should consider implementing a data-driven approach to monitor and analyze data from its case management system to identify risky transactions that deviate from its normal practices. By providing additional training and implementing additional risk-based data analytics, Social Services will be able to ensure that the facts in the applicant’s or recipient’s case record supports each decision in its case management system regarding eligibility and complies with federal requirements.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-107; 2022-106
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558
Federal Award Number and Year: 2401VATANF - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A
Known Questioned Costs: $0
Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards.
While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements.
When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a)
Known Questioned Costs: $0
Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need.
Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies:
Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system.
Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system.
Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system.
Benefit Programs could not provide support to substantiate the Weatherization line.
Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c).
Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-105: Monitor Case Management System Records to Ensure Compliance with LIHEAP Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 42 USC § 8624(b)(10)
Known Questioned Costs: $6,569
Social Services did not comply with certain federal eligibility requirements for the LIHEAP federal grant program, resulting in known questioned costs of $6,569. Social Services provided over $114 million in assistance to approximately 215,000 needy families during fiscal year 2024 through the LIHEAP federal grant program. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 12 instances (<1%) where individuals applied for benefits more than once and received benefit payments in excess of Social Services’ maximum benefit amounts.
Social Services relies on its case management system to ensure it determines eligibility properly, calculates benefit payments correctly, and complies with the federal and state laws and regulations. However, Social Services’ case management system does not prevent eligibility workers from authorizing individuals on multiple cases but instead provides a warning message for which they could choose to ignore. Additionally, Social Services does not have a mechanism to detect when an individual has received benefits from multiple cases and/or received benefit payments in excess of its maximum benefit amount.
Title 42 USC § 8624(b)(10) mandates that the State shall provide fiscal control to assure the proper disbursal of and accounting for Federal funds, including procedures for monitoring the assistance provided. Further, Social Services’ Energy Assistance Program Manual, which it developed to comply with 42 USC § 8624(b)(10), stipulates that the eligibility worker will determine whether each adult household member is associated with an existing case number when they apply or reapply for benefits. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should provide additional training to eligibility workers to properly identify individuals who have already applied for and received LIHEAP benefits. Additionally, Social Services should review the case management system’s current warning messages to determine how it can strengthen internal controls so that eligibility workers will not be able to approve cases which could result in this type of error. Finally, Social Services should consider implementing a detective control, such as reviewing payment reports, to identify potential disallowed payments resulting from an individual appearing on multiple case records.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a)
Known Questioned Costs: $0
Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need.
Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies:
Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system.
Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system.
Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system.
Benefit Programs could not provide support to substantiate the Weatherization line.
Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c).
Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-105: Monitor Case Management System Records to Ensure Compliance with LIHEAP Eligibility Requirements
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Compliance
Severity of Deficiency: N/A
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VALIEA - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Eligibility - 42 USC § 8624(b)(10)
Known Questioned Costs: $6,569
Social Services did not comply with certain federal eligibility requirements for the LIHEAP federal grant program, resulting in known questioned costs of $6,569. Social Services provided over $114 million in assistance to approximately 215,000 needy families during fiscal year 2024 through the LIHEAP federal grant program. During the audit, we reperformed the eligibility determinations for all needy families that received assistance during the fiscal year and identified 12 instances (<1%) where individuals applied for benefits more than once and received benefit payments in excess of Social Services’ maximum benefit amounts.
Social Services relies on its case management system to ensure it determines eligibility properly, calculates benefit payments correctly, and complies with the federal and state laws and regulations. However, Social Services’ case management system does not prevent eligibility workers from authorizing individuals on multiple cases but instead provides a warning message for which they could choose to ignore. Additionally, Social Services does not have a mechanism to detect when an individual has received benefits from multiple cases and/or received benefit payments in excess of its maximum benefit amount.
Title 42 USC § 8624(b)(10) mandates that the State shall provide fiscal control to assure the proper disbursal of and accounting for Federal funds, including procedures for monitoring the assistance provided. Further, Social Services’ Energy Assistance Program Manual, which it developed to comply with 42 USC § 8624(b)(10), stipulates that the eligibility worker will determine whether each adult household member is associated with an existing case number when they apply or reapply for benefits. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government.
Social Services should provide additional training to eligibility workers to properly identify individuals who have already applied for and received LIHEAP benefits. Additionally, Social Services should review the case management system’s current warning messages to determine how it can strengthen internal controls so that eligibility workers will not be able to approve cases which could result in this type of error. Finally, Social Services should consider implementing a detective control, such as reviewing payment reports, to identify potential disallowed payments resulting from an individual appearing on multiple case records.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a)
Known Questioned Costs: $0
Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024.
Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth.
Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-086; 2022-090
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Third-Party Service Providers (Information Systems)
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting.
Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program.
Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction.
Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner.
Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024.
Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024.
Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms.
The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change.
Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls.
Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Planning; Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to:
accurately verify and validate data and system sensitivity ratings;
create risk assessments for 90 percent of its sensitive systems;
create system security plans for the 55 current systems identified as sensitive;
review risk assessments for 100 percent of its existing documentation; and
implement corrective actions identified in risk assessments.
We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities.
ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses.
We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting.
TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-027; 2022-022
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: Information Security Roles and Responsibilities
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard.
We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security.
During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding.
TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-034
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk.
Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk.
Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-035
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Access Control
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024.
The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022.
Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers.
According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation.
Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Configuration Management
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms.
The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external.
Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts
Applicable to: Department of Medical Assistance Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Risk Assessment
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure.
Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating:
High-severity flaws within 30 calendar days;
Medium-severity flaws within 60 calendar days; and
All others within 90 calendar days.
Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified.
Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure.
Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-056
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Audit and Accountability
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025.
The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable.
During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years.
Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians
Applicable to: Department of Social Services
Prior Year Finding Number: N/A
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Awareness and Training
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency.
Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes.
Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk.
ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely.
ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-058; 2022-060
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: System and Information Integrity
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data.
In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs.
Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Contingency Planning
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024.
Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws.
Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability.
Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose.
The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: Personnel Security
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination.
In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024.
Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements
Applicable to: Virginia Information Technologies Agency
Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e)
Known Questioned Costs: $0
VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth.
Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard.
The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations.
Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments.
The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability.
To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Material Weakness
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778
Federal Award Number and Year: 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332
Known Questioned Costs: $0
Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan:
Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan.
Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes.
Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients.
Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332.
Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance.
Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-100; 2022-016; 2021-071
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs.
As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures.
While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year.
Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk.
Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments.
Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients.
Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse.
Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year.
Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward.
Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan
Applicable to: Department of Social Services
Prior Year Finding Number: 2023-102; 2022-014
Type of Finding: Internal Control and Compliance
Severity of Deficiency: Significant Deficiency
Information System Security Control Family: N/A
ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568
Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024
Name of Federal Agency: U.S. Department of Health and Human Services
Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)
Known Questioned Costs: $0
Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan:
Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews.
Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan.
Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance.
Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year.
Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards.
Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan.
Views of Responsible Officials:
The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.