Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Health
Finding 2024 ¬– 006:
ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19)
A Significant Deficiency and Noncompliance Exist at the Department of Health Related to Activities Allowed or Unallowed, Allowable Costs/Costs Principles
Federal Grant Number(s) and Year(s): 231PA705W1003 (10/01/2022-9/30/2023), 241PA705W1003 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles
Condition: The Pennsylvania Department of Health (DOH) administers and monitors the WIC Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) which provides assistance to low-income families for supplemental foods, education, and social services. WIC funds are received via federal grants from the United States Department of Agriculture (USDA) to meet these needs. The Pennsylvania DOH is responsible for ensuring that granted funds are used for allowable costs and grant provisions are followed.
WIC administrative grant Y23172 closed on September 30, 2023. The audit procedures disclosed that the closed grant had federal revenues that exceeded federal expenditures by approximately $95 thousand. DOH indicated that a credit was identified and posted to the grant after the FNS-798 grant close out report was submitted in February 2024. The credit was largely due to overcharges of costs for a Software License Agreement that was not allowable to the grant. The adjustment to record the credit to the grant posted in June 2024. Although DOH had identified and recorded the adjustment, DOH did not update the FNS-798 grant close out report which was necessary to return the corresponding federal funds to the USDA. DOH indicated that it is in the process of generating an updated FNS-798 report to enable the funds to be returned.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
2 CFR Section 200.405, Allowable costs, states:
a) Allocable costs in general. A cost is allocable to a Federal award or other cost objective if the cost is assignable to that Federal award or other cost objective in accordance with the relative benefits received. This standard is met if the cost satisfies any of the following criteria:
Finding 2024 ¬– 006: (continued)
(1) Is incurred specifically for the Federal award;
(2) Benefits both the Federal award and other work of the recipient or subrecipient and can be distributed in proportions that may be approximated using reasonable methods; or
(3) Is necessary to the overall operation of the recipient or subrecipient and is assignable in part to the Federal award in accordance with these cost principles.
2 CFR Section 200.406, Applicable credits, states:
(a) Applicable credits refer to transactions that offset or reduce direct or indirect costs allocable to a Federal award. Examples of such transactions are purchase discounts, rebates or allowances, recoveries or indemnities on losses, insurance refunds or rebates, and adjustments of overpayments or erroneous charges. To the extent that such credits accruing to or received by the recipient or subrecipient relate to allowable costs, they must be credited to the Federal award either as a cost reduction or cash refund, as appropriate.
Cause: DOH was not aware of the overcharges at the time of grant closeout. Management subsequently became aware of the costs and credited the federal grant expenditures but did not recognize the FNS-798 report needed adjusted to facilitate the return of the federal funds.
Effect: DOH had unallowable costs expended within grant Y23172 that were not identified until after the grant was closed. The unallowable costs were later credited to the grant causing cumulative revenues to exceed cumulative expenditures for the grant. The federal funds were not properly returned to the USDA.
Recommendation: We recommend that DOH implement formal policies and procedures to prevent and detect any unallowable costs to ensure timely and accurate grant close out procedures. If adjustments are necessary after a grant is closed, procedures should include amending the FNS-798 report at the time of posting the adjustments. Furthermore, DOH should submit an updated FNS-798 report and return the $95 thousand of federal funds to USDA.
Agency Response: DOH agrees with this finding.
Questioned Costs: None
Department of Health
Finding 2024 ¬– 006:
ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19)
A Significant Deficiency and Noncompliance Exist at the Department of Health Related to Activities Allowed or Unallowed, Allowable Costs/Costs Principles
Federal Grant Number(s) and Year(s): 231PA705W1003 (10/01/2022-9/30/2023), 241PA705W1003 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles
Condition: The Pennsylvania Department of Health (DOH) administers and monitors the WIC Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) which provides assistance to low-income families for supplemental foods, education, and social services. WIC funds are received via federal grants from the United States Department of Agriculture (USDA) to meet these needs. The Pennsylvania DOH is responsible for ensuring that granted funds are used for allowable costs and grant provisions are followed.
WIC administrative grant Y23172 closed on September 30, 2023. The audit procedures disclosed that the closed grant had federal revenues that exceeded federal expenditures by approximately $95 thousand. DOH indicated that a credit was identified and posted to the grant after the FNS-798 grant close out report was submitted in February 2024. The credit was largely due to overcharges of costs for a Software License Agreement that was not allowable to the grant. The adjustment to record the credit to the grant posted in June 2024. Although DOH had identified and recorded the adjustment, DOH did not update the FNS-798 grant close out report which was necessary to return the corresponding federal funds to the USDA. DOH indicated that it is in the process of generating an updated FNS-798 report to enable the funds to be returned.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
2 CFR Section 200.405, Allowable costs, states:
a) Allocable costs in general. A cost is allocable to a Federal award or other cost objective if the cost is assignable to that Federal award or other cost objective in accordance with the relative benefits received. This standard is met if the cost satisfies any of the following criteria:
Finding 2024 ¬– 006: (continued)
(1) Is incurred specifically for the Federal award;
(2) Benefits both the Federal award and other work of the recipient or subrecipient and can be distributed in proportions that may be approximated using reasonable methods; or
(3) Is necessary to the overall operation of the recipient or subrecipient and is assignable in part to the Federal award in accordance with these cost principles.
2 CFR Section 200.406, Applicable credits, states:
(a) Applicable credits refer to transactions that offset or reduce direct or indirect costs allocable to a Federal award. Examples of such transactions are purchase discounts, rebates or allowances, recoveries or indemnities on losses, insurance refunds or rebates, and adjustments of overpayments or erroneous charges. To the extent that such credits accruing to or received by the recipient or subrecipient relate to allowable costs, they must be credited to the Federal award either as a cost reduction or cash refund, as appropriate.
Cause: DOH was not aware of the overcharges at the time of grant closeout. Management subsequently became aware of the costs and credited the federal grant expenditures but did not recognize the FNS-798 report needed adjusted to facilitate the return of the federal funds.
Effect: DOH had unallowable costs expended within grant Y23172 that were not identified until after the grant was closed. The unallowable costs were later credited to the grant causing cumulative revenues to exceed cumulative expenditures for the grant. The federal funds were not properly returned to the USDA.
Recommendation: We recommend that DOH implement formal policies and procedures to prevent and detect any unallowable costs to ensure timely and accurate grant close out procedures. If adjustments are necessary after a grant is closed, procedures should include amending the FNS-798 report at the time of posting the adjustments. Furthermore, DOH should submit an updated FNS-798 report and return the $95 thousand of federal funds to USDA.
Agency Response: DOH agrees with this finding.
Questioned Costs: None
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 010:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Work Registration Requirement
Federal Grant Number(s) and Year(s): C101064 (7/01/2023 - 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Eligibility
Condition: The Pennsylvania Department of Labor and Industry (L&I) administers and monitors federal Unemployment Insurance (UI) funds to provide benefits for unemployed workers for periods of involuntary unemployment. L&I is responsible for establishing policy and procedure to comply with the requirements of federal UI laws including collecting UI contributions, determining claimant eligibility, and making UI benefit payments. L&I uses Pennsylvania CareerLink and the Unemployment Compensation Benefits System to aid in making eligibility determinations pursuant federal requirements.
During the fiscal year ended June 30, 2024, testing revealed a claimant that was a union employee and claimed and received benefits was erroneously exempted from the work registration requirement. The work registration requirement is a condition of eligibility to receive benefits. L&I indicated that a programmatic error within the Unemployment Compensation Benefits System, which crossmatches against the Commonwealth Workforce Development System (CWDS), was not recognizing the workers with a union status as being required to register. Therefore, when the information came back from CWDS that claimants were not registered, the system incorrectly categorized these claimants as exempt.
L&I performed an analysis to determine the potential number of union claimants that were erroneously exempt from the work registration requirement. After analyzing the data, L&I developed an estimate of possible overpayments to include 3,481 claimants totaling $22.5 million. The estimated numbers represent the maximum possible error and would require further investigation at the individual claimant level to specifically determine actual overpayments. L&I indicated that due to this being a programmatic error, not due to claimants’ action or inaction, in consultation with legal counsel, L&I elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants. L&I acknowledged the programmatic issue prevented these individuals from knowing they would otherwise be denied for not registering. Furthermore, L&I stated it would be oppressive to inform the individuals now of requirements that needed to be met at the time of application, as well as burden them with unexpected overpayments.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Finding 2024 –¬ 010: (continued)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the UI program, Eligibility, states:
Regular Unemployment Compensation Program – Under state UC laws, a worker’s benefit rights depend on the amount of the worker’s wages and/or weeks of work in covered employment in a “base period.” While most states define the base period as the first four of the last five completed calendar quarters prior to the filing of the claim, other base periods may be used. To qualify for benefits, a claimant must have earned a certain number of wages or have worked a certain number of weeks or calendar quarters within the base period or meet some combination of wage and employment requirements. Some states require a waiting period of one week of total or partial unemployment before UC is payable. A “waiting period” is a non-compensable period of unemployment in which the worker is otherwise eligible for benefits.
To be eligible to receive UC, all states provide that a claimant must have been separated from suitable work for non-disqualifying reasons under state law (i.e., not because of such acts as leaving voluntarily without good cause or discharge for misconduct connected with work). After separation, they must be able and available for work, actively seeking work, legally authorized to work in the United States and must not have refused an offer of suitable work.
Pennsylvania UC Law booklet, states:
ARTICLE IV COMPENSATION Section 401.
Qualifications Required to Secure Compensation.—
Compensation shall be payable to any employe who is or becomes unemployed, and who—
(a) Satisfies both of the following requirements: (1) Has, within his base year, been paid wages for employment as required by section 404(c) of this act. (2) Except as provided in section 404(a)(3) and (e)(2)(v), not less than thirty-seven per centum (37%) of the employe's total base year wages have been paid in one or more quarters, other than the highest quarter in such employe's base year. ((2) amended June 30, 2021, P.L.173, No.30) ((a) amended Nov. 3, 2016, P.L.1100, No.144) (b) (1) Is making an active search for suitable employment. The requirements for "active search" shall be established by the department and shall include, at a minimum, all of the following: 106 PENNSYLVANIA UNEMPLOYMENT COMPENSATION LAW (i) Registration by a claimant for employment search services offered by the Pennsylvania CareerLink system or its successor agency within thirty (30) days after initial application for benefits. (ii) Posting a resume on the system's database, unless the claimant is seeking work in an employment sector in which resumes are not commonly used. (iii) Applying for positions that offer employment and wages similar to those the claimant had prior to his unemployment and which are within a forty-five (45) minute commuting distance.
Cause: A programmatic error within the Unemployment Compensation Benefits System erroneously exempted claimants with a union status from the work registration requirement.
Effect: Claimants with union status that were exempted from the work registration eligibility requirement possibly received UI benefit payments without meeting all the eligibility requirements, resulting in disallowed benefit payments. As indicated above in the condition, L&I has elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants.
Recommendation: We recommend that L&I strengthen policies and procedures to prevent and detect errors that could result in improper benefit payments.
Finding 2024 –¬ 010: (continued)
Agency Response: L&I agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 011:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Reemployment Services and Eligibility Assessments Program
Federal Grant Number(s) and Year(s): C10164 (7/01/2023 – 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Special Tests and Provisions related to Unemployment Insurance (UI) Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA)
Condition: During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) was required to administer reemployment services for the Unemployment Insurance (UI) program. The Commonwealth of Pennsylvania elected to operate the Reemployment Services and Eligibility Assessments (RESEA) program to satisfy the Worker Profiling and Reemployment Services (WPRS) federal mandate which was permitted by federal requirements.
The RESEA program enables claimants who are most likely to exhaust their benefits to access services that assist them to return to work or provide assistance in areas such as job search or placement, job markets, and testing. Claimant participants work with a case administrator (administrator) throughout the program, and the administrators are supervised by a case manager. L&I’s program procedures are outlined in the Labor and Industry RESEA Manual which details claimant selection, eligibility, and the intervention process performed by the administrator to assist participating claimants.
The Commonwealth of Pennsylvania’s RESEA program uses a comprehensive checklist from the RESEA Manual to ensure that all elements of the program are being satisfied for each case. To test the RESEA requirements for the fiscal year ending June 30, 2024, a sample of 40 out of 22,774 claimant cases that completed the program during that time period was selected for testing. No noncompliance was identified. However, we were unable to test the operating effectiveness of certain internal control procedures at the case level, since supporting documentation for checklists was not maintained for eight of the 40 cases tested.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management Directive 325.12 Standards for Internal Control for Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book), published in September 2014. The Green Book states in part:
Finding 2024 –¬ 011: (continued)
Management should design control activities to achieve objectives and respond to risks.
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: According to L&I management, the checklist was mandatory for use by the administrators. L&I indicated that the eight checklists which were unavailable to be reviewed were lost due to moving locations.
Effect: The lack of adequate internal controls over compliance in the RESEA program could result in improper identification of claimants and insufficient services resulting in federal noncompliance. Although noncompliance was not identified by our audit procedures, fully operational controls would enable case administrators and managers to ensure compliance with program requirements and to timely prevent and detect instances of noncompliance.
Recommendation: We recommend that L&I management ensure the use of the checklist to strengthen internal controls and to ensure verification of all elements of the RESEA program are occurring, accurate, and complete. Also, L&I management should ensure that proper documentation of the use of these tools is maintained.
Agency Response: L&I is in agreement with the recommendations and will ensure that the checklist will be completed for all RESEA recipients. Management will ensure that proper documentation of this tool is maintained.
1. Yearly RESEA case file reviews will be conducted by the Bureau of Workforce Partnership & Operations (BWPO) Central office staff.
2. Quarterly meetings with local office staff to reinforce the importance of utilizing the checklist.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 010:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Work Registration Requirement
Federal Grant Number(s) and Year(s): C101064 (7/01/2023 - 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Eligibility
Condition: The Pennsylvania Department of Labor and Industry (L&I) administers and monitors federal Unemployment Insurance (UI) funds to provide benefits for unemployed workers for periods of involuntary unemployment. L&I is responsible for establishing policy and procedure to comply with the requirements of federal UI laws including collecting UI contributions, determining claimant eligibility, and making UI benefit payments. L&I uses Pennsylvania CareerLink and the Unemployment Compensation Benefits System to aid in making eligibility determinations pursuant federal requirements.
During the fiscal year ended June 30, 2024, testing revealed a claimant that was a union employee and claimed and received benefits was erroneously exempted from the work registration requirement. The work registration requirement is a condition of eligibility to receive benefits. L&I indicated that a programmatic error within the Unemployment Compensation Benefits System, which crossmatches against the Commonwealth Workforce Development System (CWDS), was not recognizing the workers with a union status as being required to register. Therefore, when the information came back from CWDS that claimants were not registered, the system incorrectly categorized these claimants as exempt.
L&I performed an analysis to determine the potential number of union claimants that were erroneously exempt from the work registration requirement. After analyzing the data, L&I developed an estimate of possible overpayments to include 3,481 claimants totaling $22.5 million. The estimated numbers represent the maximum possible error and would require further investigation at the individual claimant level to specifically determine actual overpayments. L&I indicated that due to this being a programmatic error, not due to claimants’ action or inaction, in consultation with legal counsel, L&I elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants. L&I acknowledged the programmatic issue prevented these individuals from knowing they would otherwise be denied for not registering. Furthermore, L&I stated it would be oppressive to inform the individuals now of requirements that needed to be met at the time of application, as well as burden them with unexpected overpayments.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Finding 2024 –¬ 010: (continued)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the UI program, Eligibility, states:
Regular Unemployment Compensation Program – Under state UC laws, a worker’s benefit rights depend on the amount of the worker’s wages and/or weeks of work in covered employment in a “base period.” While most states define the base period as the first four of the last five completed calendar quarters prior to the filing of the claim, other base periods may be used. To qualify for benefits, a claimant must have earned a certain number of wages or have worked a certain number of weeks or calendar quarters within the base period or meet some combination of wage and employment requirements. Some states require a waiting period of one week of total or partial unemployment before UC is payable. A “waiting period” is a non-compensable period of unemployment in which the worker is otherwise eligible for benefits.
To be eligible to receive UC, all states provide that a claimant must have been separated from suitable work for non-disqualifying reasons under state law (i.e., not because of such acts as leaving voluntarily without good cause or discharge for misconduct connected with work). After separation, they must be able and available for work, actively seeking work, legally authorized to work in the United States and must not have refused an offer of suitable work.
Pennsylvania UC Law booklet, states:
ARTICLE IV COMPENSATION Section 401.
Qualifications Required to Secure Compensation.—
Compensation shall be payable to any employe who is or becomes unemployed, and who—
(a) Satisfies both of the following requirements: (1) Has, within his base year, been paid wages for employment as required by section 404(c) of this act. (2) Except as provided in section 404(a)(3) and (e)(2)(v), not less than thirty-seven per centum (37%) of the employe's total base year wages have been paid in one or more quarters, other than the highest quarter in such employe's base year. ((2) amended June 30, 2021, P.L.173, No.30) ((a) amended Nov. 3, 2016, P.L.1100, No.144) (b) (1) Is making an active search for suitable employment. The requirements for "active search" shall be established by the department and shall include, at a minimum, all of the following: 106 PENNSYLVANIA UNEMPLOYMENT COMPENSATION LAW (i) Registration by a claimant for employment search services offered by the Pennsylvania CareerLink system or its successor agency within thirty (30) days after initial application for benefits. (ii) Posting a resume on the system's database, unless the claimant is seeking work in an employment sector in which resumes are not commonly used. (iii) Applying for positions that offer employment and wages similar to those the claimant had prior to his unemployment and which are within a forty-five (45) minute commuting distance.
Cause: A programmatic error within the Unemployment Compensation Benefits System erroneously exempted claimants with a union status from the work registration requirement.
Effect: Claimants with union status that were exempted from the work registration eligibility requirement possibly received UI benefit payments without meeting all the eligibility requirements, resulting in disallowed benefit payments. As indicated above in the condition, L&I has elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants.
Recommendation: We recommend that L&I strengthen policies and procedures to prevent and detect errors that could result in improper benefit payments.
Finding 2024 –¬ 010: (continued)
Agency Response: L&I agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 011:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Reemployment Services and Eligibility Assessments Program
Federal Grant Number(s) and Year(s): C10164 (7/01/2023 – 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Special Tests and Provisions related to Unemployment Insurance (UI) Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA)
Condition: During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) was required to administer reemployment services for the Unemployment Insurance (UI) program. The Commonwealth of Pennsylvania elected to operate the Reemployment Services and Eligibility Assessments (RESEA) program to satisfy the Worker Profiling and Reemployment Services (WPRS) federal mandate which was permitted by federal requirements.
The RESEA program enables claimants who are most likely to exhaust their benefits to access services that assist them to return to work or provide assistance in areas such as job search or placement, job markets, and testing. Claimant participants work with a case administrator (administrator) throughout the program, and the administrators are supervised by a case manager. L&I’s program procedures are outlined in the Labor and Industry RESEA Manual which details claimant selection, eligibility, and the intervention process performed by the administrator to assist participating claimants.
The Commonwealth of Pennsylvania’s RESEA program uses a comprehensive checklist from the RESEA Manual to ensure that all elements of the program are being satisfied for each case. To test the RESEA requirements for the fiscal year ending June 30, 2024, a sample of 40 out of 22,774 claimant cases that completed the program during that time period was selected for testing. No noncompliance was identified. However, we were unable to test the operating effectiveness of certain internal control procedures at the case level, since supporting documentation for checklists was not maintained for eight of the 40 cases tested.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management Directive 325.12 Standards for Internal Control for Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book), published in September 2014. The Green Book states in part:
Finding 2024 –¬ 011: (continued)
Management should design control activities to achieve objectives and respond to risks.
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: According to L&I management, the checklist was mandatory for use by the administrators. L&I indicated that the eight checklists which were unavailable to be reviewed were lost due to moving locations.
Effect: The lack of adequate internal controls over compliance in the RESEA program could result in improper identification of claimants and insufficient services resulting in federal noncompliance. Although noncompliance was not identified by our audit procedures, fully operational controls would enable case administrators and managers to ensure compliance with program requirements and to timely prevent and detect instances of noncompliance.
Recommendation: We recommend that L&I management ensure the use of the checklist to strengthen internal controls and to ensure verification of all elements of the RESEA program are occurring, accurate, and complete. Also, L&I management should ensure that proper documentation of the use of these tools is maintained.
Agency Response: L&I is in agreement with the recommendations and will ensure that the checklist will be completed for all RESEA recipients. Management will ensure that proper documentation of this tool is maintained.
1. Yearly RESEA case file reviews will be conducted by the Bureau of Workforce Partnership & Operations (BWPO) Central office staff.
2. Quarterly meetings with local office staff to reinforce the importance of utilizing the checklist.
Questioned Costs: None
Office of Budget Operations
Finding 2024 – 013:
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
A Significant Deficiency and Noncompliance Exist at the Office of Budget Operations Related to the Quarterly Project and Expenditure Report (A Similar Condition Was Noted in Prior Year Finding 2023-020)
Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 – 12/31/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Reporting
Condition: Two of four quarterly Project and Expenditure Reports were selected for testing. The Office of Budget Operations (OBO) reported incomplete capital project information in these quarterly reports. Specifically, the following exceptions were noted:
• A project’s description allows capital expenditures by subrecipients, but OBO has reported it as a non-capital project on both the 9/30/2023 and 3/31/2024 quarterly Project and Expenditure reports. In addition, the Pennsylvania Emergency Management Agency (PEMA) did not require the subrecipients receiving funding under this project to report their capital expenditures to PEMA. Therefore, OBO is unable to determine the amount of capital expenditures obligated and expended for this project for the quarters tested.
• A capital project in excess of $10 million was reported as a non-capital project on the 9/30/2023 quarterly report.
• On the 9/30/2023 quarterly report, the project was correctly reported as a capital project and the required written justification was included, however, the justification did not include all required elements.
Criteria: Per the Compliance and Reporting Guidance issued by the U.S. Department of the Treasury, recipients must report if a project includes capital expenditures, the type of capital expenditure, and the amount of capital expenditures obligated and expended.
Per 31 CFR §35.6(b)(4), a recipient, other than a Tribal government, must prepare written justifications for capital projects with capital expenditures enumerated by Treasury in the final rule and with total capital expenditures greater than $10 million.
Such written justifications must include the following elements:
(i) Describe the harm or need to be addressed;
(ii) Explain why a capital expenditure is appropriate; and
(iii) Compare the proposed capital expenditure to at least two alternative capital expenditures and demonstrate why the proposed capital expenditure is superior.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PEMA issued subawards to 666 local EMS companies and the subrecipients were allowed to expend the funds on a variety of uses, including capital expenditures. PEMA did not obtain detail of capital expenditures incurred from the subrecipients and was therefore unable to provide the information to OBO for inclusion on the Project and Expenditure Reports.
Finding 2024 – 013: (continued)
The required elements for capital project justifications are summarized on page 4390 of the Final Rule, but they are not mentioned in the Project and Expenditure Report User Guide nor in the Compliance and Reporting Guidance. Therefore, OBO was unaware that it was necessary to include specific elements in the justification.
Effect: OBO did not properly identify and report capital projects. Errors included omitting capital project obligations and expenditures and incomplete justifications for a capital project greater than $10 million.
Recommendation: We recommend that OBO ensures that all capital projects are properly reported and that justifications for capital projects greater than $10 million include all required elements. We further recommend that subrecipients are sufficiently monitored to allow OBO to correctly report capital expenditures obligated and expended.
Agency Response: The Office of Budget Operations, formerly known as the Governor’s Budget Office or GBO, agrees with this finding. Through our Corrective Action Plan, we will document the work we’ve already done to resolve this finding.
Questioned Costs: None
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Department of Labor and Industry
Finding 2024 –¬ 009:
ALN 93.558 – Temporary Assistance for Needy Families
Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring and the Department of Labor and Industry Did Not Perform Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-014)
Federal Grant Number(s) and Year(s): 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: During the fiscal year ended June 30, 2024, the Department of Human Services (DHS) paid $83.5 million (or 21.9 percent) in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations out of total federal TANF expenditures of $381.0 million reported on the June 30, 2024 Schedule of Expenditures of Federal Awards (SEFA).
Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2024, disclosed that DHS performed on-site monitoring for 16 out of 16 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, and case management analysis. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 16 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings.
Our testing also included follow-up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2024. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $500 thousand of TANF funds during the fiscal year ended June 30, 2024.
During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) paid $27.1 million in TANF funding to subrecipients within the Youth Employment and Training (E&T) appropriation (or 7.1 percent) out of total federal TANF expenditures of $381.0 million reported on the June 30, 2024 SEFA.
Our testing of L&I’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2024, disclosed that L&I did not perform on-site monitoring or desk reviews for seven out of seven subrecipients selected for testing.
Finding 2024 –¬ 009: (continued)
Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision].
2 CFR Section 200.332, Requirements for pass-through entities, states in part:
A pass-through entity must:
(f) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (c) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters;
(2) Performing site visits to review the subrecipient's program operations; and
(3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services].
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: DHS considered how financial monitoring might be incorporated into on-site monitoring procedures, but updated procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2024. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. L&I recognized the need to perform during-the-award monitoring procedures for TANF funds passed through for the Youth E&T program, but the updated procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2024.
Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS and L&I management.
Recommendation: DHS and L&I should strengthen controls to ensure during-the-award monitoring is being performed for all TANF subrecipients and that the monitoring includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS and L&I subrecipients.
Finding 2024 –¬ 009: (continued)
DHS Response: DHS agrees with this finding.
L&I Response: L&I concurs with this finding. TANF Youth Development Program (TANF YDP) operations transitioned from the Bureau of Workforce Development Administration (BWDA) to the Bureau of Workforce Partnerships and Operations (BWPO) in January 2023. Due to this transition, BWPO did not conduct on site monitoring of the TANF YDP program in program year 2023. BWPO did begin on site monitoring in program year 2024 on a limited basis as a pilot with 3 local areas in September of 2024. BWPO plans to expand monitoring efforts in 2025.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 – 008:
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Department of Human Services’ Program Monitoring of the Social Services Block Grant Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-015)
Federal Grant Number(s) and Year(s): 2401PASOSR (10/01/2023 – 9/30/2025), 2301PASOSR (10/01/2022 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirements: Cash Management, Subrecipient Monitoring
Condition: Our examination of the Department of Human Services’ (DHS) procedures for monitoring Social Services Block Grant (SSBG) subrecipients revealed that DHS did not adequately monitor the SSBG Mental Health, Homeless Services, and Child Welfare subrecipients to ensure that SSBG awards are used in compliance with laws and regulations, which include allowable costs, period of performance, and other requirements. DHS program personnel indicated that they performed on-site monitoring of nine subrecipients, however only three reports were issued to the subrecipients. The inadequately monitored subrecipients received $26.6 million (or approximately 29 percent) of total SSBG program expenditures of $91.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). While we did note that DHS adequately monitored three of the 55 Mental Health County/County Joinder subrecipients which included Mental Health, Homeless Services and Child Welfare services, this coverage is not adequate. In addition, our review of the risk assessments completed for all of the aforementioned subrecipients identified several instances where subrecipient monitoring was warranted but was not conducted.
In addition, for the compliance requirement related to cash management, we noted that DHS advanced funds to SSBG subrecipients in four of nine program areas, representing $34.0 million (or approximately 37 percent) of SSBG program expenditures, without adequately monitoring the reasonableness of the subrecipient cash balances. In particular, for the program areas related to Mental Health, Intellectual Disabilities, Homeless Services, and Child Welfare, DHS advanced funds to subrecipients on a quarterly basis. Our inquiries with applicable DHS program administrators disclosed that DHS did not adequately monitor the four program areas’ subrecipients for cash management compliance either at the time of payment or at any other time during the fiscal year ended June 30, 2024.
Furthermore, while Single Audits of SSBG subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year.
Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
Finding 2024 – 008: (continued)
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
45 CFR Section 75.305(b)(1), applicable to payments to subrecipients, states in part:
…Advance payments to a non-Federal entity must be limited to the minimum amounts needed and be timed to be in accordance with the actual, immediate cash requirements of the non-Federal entity in carrying out the purpose of the approved program or project. The timing and amount of advance payments must be as close as is administratively feasible to the actual disbursements by the non-Federal entity for direct program or project costs and the proportionate share of any allowable indirect costs. The non-Federal entity must make timely payment to contractors in accordance with the contract provisions.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: DHS management indicated that risk assessment and monitoring documents were created for use during on-site monitoring of SSBG subrecipients. However, due to staffing issues, on-site monitoring was not performed for all SSBG subrecipients.
Consistent with prior year audits, DHS management noted that there have been no changes to the payment methodology for the Homeless Services, Mental Health, Intellectual Disabilities, and Child Welfare components of SSBG. These programs provide subrecipients with advances to comply with Commonwealth law and also to ensure that adequate funds are available to provide services to participants on a timely basis. DHS officials believe that their in-house payment review procedures for the SSBG program are as efficient as administratively feasible and that controls exist in each of the program areas. Without on-site program monitoring visits by funding agency officials, we consider DHS’s limited in-house reviews of subrecipient status reports or other documents to be insufficient to detect potential subrecipient noncompliance, including excess cash violations. DHS does not adjust payments to the subrecipients based on in-house reviews.
Effect: Since DHS does not adequately perform during-the-award monitoring of subrecipients, including the monitoring of subrecipient cash on hand, subrecipients may not be complying with applicable grant requirements and federal regulations, including cash management standards.
Recommendation: DHS should perform risk based during-the-award monitoring procedures for all SSBG subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Finding 2024 – 008: (continued)
As recommended in previous Single Audits and supported by the United States Department of Health and Human Services, DHS should either consider changing their current subrecipient payment procedures from advancement basis to reimbursement basis or establish procedures to adequately monitor subrecipient cash on hand to ensure it is limited to immediate needs, but no longer than one month. The implementation and strengthening of these controls should provide DHS with reasonable assurance as to compliance with cash management requirements at the subrecipient level.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Agriculture
Finding 2024 –¬ 004:
ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19)
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2023-004)
Federal Grant Number(s) and Year(s): 221PA365N8903 (10/01/22-9/30/2023), 221PA365N8903 (1/01/2022-9/30/2023), 231PA305N1099 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2023), 231PA365N8903 (10/01/2022-9/30/2024), 241PA305N1099 (10/01/2023-9/30/2024), 231PA825Y8005 (10/01/2022-9/30/2023), 241PA825Y8005 (10/01/2023-9/30/2024), 228PA100I1003 (6/13/2022-6/30/2025), 231PA825Y8105 (10/01/22-9/30/2023), 231PA445Q2204 (10/01/2022-9/30/2023), 238PA000I1003 (5/25/2023 – 6/30/2025), 241PA825Y8105 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods (CNC) and Special Tests and Provisions related to Accountability for USDA Foods (FDC)
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of USDA donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC) and the Commodity Supplemental Food Program (CSFP) and the Emergency Food Assistance Program (Food Commodities) (TEFAP) within the Food Distribution Cluster (FDC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Commodity Dollar Value Report, Agency Summary Reports, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to the distributor, processor, and recipient activity. BFA then provides commodity expenditures to the Pennsylvania Office of the Budget, Office of Comptroller Operations (OCO) for recording on the SEFA.
We tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures to report on the SEFA as of June 30, 2024. We noted the following:
Regarding the BFA year-end reconciliation provided in October 2024, our testing disclosed:
• Commodities used in the Local Food Service (LFS) program were incorrectly included in NSLP reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $26,697.
Based on inquiry of the above error, BFA management performed further review of the reconciliation and supporting reports that resulted in BFA providing a revised reconciliation to the auditors in December 2024. Our testing of the revised reconciliation disclosed the following:
• Commodities from the CSFP were uploaded to the system in late October, therefore excluded in the reports used for posting to the SEFA, resulting an understatement of CSFP commodity expenditures of $1,499,980.
• Twenty-six transactions related to NSLP disbursements and credits of processors were made in November and excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $23,442.
Finding 2024 – 004: (continued)
• One transaction resulting in a credit related to a Charitable Institution in NSLP was excluded from reports used for posting to the SEFA, resulting in an overstatement of NSLP SEFA commodity expenditures of $14,192 and beginning inventory being overstated by 226 cases.
• Eight extra transactions were incorrectly included on the TEFAP reports used for posting to the SEFA, resulting in an overstatement of TEFAP SEFA commodity expenditures of $69,894.
Regarding the Commodity Inventory Report for Processors, our testing disclosed:
• A system glitch caused one processor’s beginning inventory to be set to zero, making inventory amounts for that processor off by 118,610 cases.
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.1 Accountability for USDA – Donated Foods, states:
a. Maintenance of Records:
Distributing and subdistributing agencies (as defined at 7 CFR section 250.2) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the FDC Cluster, Special Tests and Provisions – N.1 Accountability for USDA Foods, states:
Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP.
7 CFR Section 250.19, Recordkeeping requirements, states:
(a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable.
7 CFR Section 247.29, Reports and recordkeeping, states:
(a) State and local agencies must maintain accurate and complete records relating to the receipt, disposal, and inventory of USDA Foods, the receipt and disbursement of administrative funds and other funds, eligibility determinations, fair hearings, and other program activities.
7 CFR Section 251.10, Reports and recordkeeping, states:
(a)(1) State agencies, subdistributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of USDA Foods received under this part that they, in turn, distribute to eligible recipient agencies.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Finding 2024 – 004: (continued)
Cause: During testing of the year-end inventory reconciliations provided in October, the auditors identified the inclusion of LFS commodities in the NSLP commodity report and brought the error to the attention of BFA personnel. BFA personnel agreed that the amounts should not have been included in the reports used for NSLP SEFA reporting. This error prompted BFA to perform further review of the commodity reports that resulted in BFA making additional corrections and updating the year-end inventory reconciliation, the revised reconciliation was provided to the auditors in December. Audit procedures performed on the updated year-end reconciliation identified differences between both reconciliations as noted above in the condition. BFA personnel did not notify the OCO of these changes to evaluate the impact and record the necessary adjustments to the SEFA.
Effect: Without direct intervention from the auditors, the reports for the CNC and FDC programs may not have been corrected. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods, misstatements in BFA’s inventory reconciliations, and did result in inaccurate commodity expenditures reported on the SEFA. A proposed audit adjustment of $1,499,980 was posted to the SEFA.
Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors are identified during the reconciliation process and are corrected timely in the system and communicated to the OCO for evaluation of impact on the SEFA.
Agency Response: PDA agrees with this finding.
Questioned Costs: None
Department of Agriculture
Finding 2024 – 005:
ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster
A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-005)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2024, subrecipient expenditures accounted for $120.6 million or approximately 98.6 percent of total federal program expenditures of $122.3 million.
PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years.
As part of our testing of subrecipient monitoring, we selected 16 subrecipients out of 95 reviews conducted during the audit period to test PDA’s monitoring procedures. We also evaluated that PDA performed monitoring reviews within the required time periods. Our testing disclosed that PDA performed annual reviews for at least 25 percent of subrecipients but failed to monitor 47 out of a population of 94 TEFAP soup kitchen subrecipients in the required four-year review period.
Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states:
Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include:
(i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and
(ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner.
Finding 2024 – 005: (continued)
7 CFR Section 247.34 (a) regarding CSFP management reviews states:
The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PDA management stated that the agency was viewing TEFAP soup kitchen subrecipients as “recipient agencies” which are not subject to the four-year review requirement as opposed to lead agencies with direct agreements with PDA that are subject to the four-year review requirement. Soup kitchens have direct agreements with PDA.
Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations.
Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations.
Agency Response: PDA agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Health
Finding 2024 ¬– 006:
ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19)
A Significant Deficiency and Noncompliance Exist at the Department of Health Related to Activities Allowed or Unallowed, Allowable Costs/Costs Principles
Federal Grant Number(s) and Year(s): 231PA705W1003 (10/01/2022-9/30/2023), 241PA705W1003 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles
Condition: The Pennsylvania Department of Health (DOH) administers and monitors the WIC Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) which provides assistance to low-income families for supplemental foods, education, and social services. WIC funds are received via federal grants from the United States Department of Agriculture (USDA) to meet these needs. The Pennsylvania DOH is responsible for ensuring that granted funds are used for allowable costs and grant provisions are followed.
WIC administrative grant Y23172 closed on September 30, 2023. The audit procedures disclosed that the closed grant had federal revenues that exceeded federal expenditures by approximately $95 thousand. DOH indicated that a credit was identified and posted to the grant after the FNS-798 grant close out report was submitted in February 2024. The credit was largely due to overcharges of costs for a Software License Agreement that was not allowable to the grant. The adjustment to record the credit to the grant posted in June 2024. Although DOH had identified and recorded the adjustment, DOH did not update the FNS-798 grant close out report which was necessary to return the corresponding federal funds to the USDA. DOH indicated that it is in the process of generating an updated FNS-798 report to enable the funds to be returned.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
2 CFR Section 200.405, Allowable costs, states:
a) Allocable costs in general. A cost is allocable to a Federal award or other cost objective if the cost is assignable to that Federal award or other cost objective in accordance with the relative benefits received. This standard is met if the cost satisfies any of the following criteria:
Finding 2024 ¬– 006: (continued)
(1) Is incurred specifically for the Federal award;
(2) Benefits both the Federal award and other work of the recipient or subrecipient and can be distributed in proportions that may be approximated using reasonable methods; or
(3) Is necessary to the overall operation of the recipient or subrecipient and is assignable in part to the Federal award in accordance with these cost principles.
2 CFR Section 200.406, Applicable credits, states:
(a) Applicable credits refer to transactions that offset or reduce direct or indirect costs allocable to a Federal award. Examples of such transactions are purchase discounts, rebates or allowances, recoveries or indemnities on losses, insurance refunds or rebates, and adjustments of overpayments or erroneous charges. To the extent that such credits accruing to or received by the recipient or subrecipient relate to allowable costs, they must be credited to the Federal award either as a cost reduction or cash refund, as appropriate.
Cause: DOH was not aware of the overcharges at the time of grant closeout. Management subsequently became aware of the costs and credited the federal grant expenditures but did not recognize the FNS-798 report needed adjusted to facilitate the return of the federal funds.
Effect: DOH had unallowable costs expended within grant Y23172 that were not identified until after the grant was closed. The unallowable costs were later credited to the grant causing cumulative revenues to exceed cumulative expenditures for the grant. The federal funds were not properly returned to the USDA.
Recommendation: We recommend that DOH implement formal policies and procedures to prevent and detect any unallowable costs to ensure timely and accurate grant close out procedures. If adjustments are necessary after a grant is closed, procedures should include amending the FNS-798 report at the time of posting the adjustments. Furthermore, DOH should submit an updated FNS-798 report and return the $95 thousand of federal funds to USDA.
Agency Response: DOH agrees with this finding.
Questioned Costs: None
Department of Health
Finding 2024 ¬– 006:
ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19)
A Significant Deficiency and Noncompliance Exist at the Department of Health Related to Activities Allowed or Unallowed, Allowable Costs/Costs Principles
Federal Grant Number(s) and Year(s): 231PA705W1003 (10/01/2022-9/30/2023), 241PA705W1003 (10/01/2023-9/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles
Condition: The Pennsylvania Department of Health (DOH) administers and monitors the WIC Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) which provides assistance to low-income families for supplemental foods, education, and social services. WIC funds are received via federal grants from the United States Department of Agriculture (USDA) to meet these needs. The Pennsylvania DOH is responsible for ensuring that granted funds are used for allowable costs and grant provisions are followed.
WIC administrative grant Y23172 closed on September 30, 2023. The audit procedures disclosed that the closed grant had federal revenues that exceeded federal expenditures by approximately $95 thousand. DOH indicated that a credit was identified and posted to the grant after the FNS-798 grant close out report was submitted in February 2024. The credit was largely due to overcharges of costs for a Software License Agreement that was not allowable to the grant. The adjustment to record the credit to the grant posted in June 2024. Although DOH had identified and recorded the adjustment, DOH did not update the FNS-798 grant close out report which was necessary to return the corresponding federal funds to the USDA. DOH indicated that it is in the process of generating an updated FNS-798 report to enable the funds to be returned.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
2 CFR Section 200.405, Allowable costs, states:
a) Allocable costs in general. A cost is allocable to a Federal award or other cost objective if the cost is assignable to that Federal award or other cost objective in accordance with the relative benefits received. This standard is met if the cost satisfies any of the following criteria:
Finding 2024 ¬– 006: (continued)
(1) Is incurred specifically for the Federal award;
(2) Benefits both the Federal award and other work of the recipient or subrecipient and can be distributed in proportions that may be approximated using reasonable methods; or
(3) Is necessary to the overall operation of the recipient or subrecipient and is assignable in part to the Federal award in accordance with these cost principles.
2 CFR Section 200.406, Applicable credits, states:
(a) Applicable credits refer to transactions that offset or reduce direct or indirect costs allocable to a Federal award. Examples of such transactions are purchase discounts, rebates or allowances, recoveries or indemnities on losses, insurance refunds or rebates, and adjustments of overpayments or erroneous charges. To the extent that such credits accruing to or received by the recipient or subrecipient relate to allowable costs, they must be credited to the Federal award either as a cost reduction or cash refund, as appropriate.
Cause: DOH was not aware of the overcharges at the time of grant closeout. Management subsequently became aware of the costs and credited the federal grant expenditures but did not recognize the FNS-798 report needed adjusted to facilitate the return of the federal funds.
Effect: DOH had unallowable costs expended within grant Y23172 that were not identified until after the grant was closed. The unallowable costs were later credited to the grant causing cumulative revenues to exceed cumulative expenditures for the grant. The federal funds were not properly returned to the USDA.
Recommendation: We recommend that DOH implement formal policies and procedures to prevent and detect any unallowable costs to ensure timely and accurate grant close out procedures. If adjustments are necessary after a grant is closed, procedures should include amending the FNS-798 report at the time of posting the adjustments. Furthermore, DOH should submit an updated FNS-798 report and return the $95 thousand of federal funds to USDA.
Agency Response: DOH agrees with this finding.
Questioned Costs: None
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 012:
ALN 17.258, 17.259, and 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster
A Significant Deficiency Exists at the Department of Labor and Industry Related to Inappropriate Privileged Access
Federal Grant Number(s) and Year(s): 23A55AT000019 (7/01/2023 – 6/30/2026), 23A55AW000022 (7/01/2023 – 6/30/2026), 23A55AY000029 (4/01/2023 – 6/30/2026), AA347902055A42 (10/01/2019 – 6/30/2023), AA363422155A42 (4/01/2021 – 6/30/2024), AA385522255A42 (4/01/2022 – 6/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Other
Condition: As part of testing internal controls over the Workforce Innovation and Opportunity Act (WIOA) Cluster program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry (L&I), Bureau of Workforce Development Administration (BWDA) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center.
During our testing of privileged access, we noted the following control deficiencies in an application used to capture, track, and monitor WIOA program activities:
1. An inappropriate application administrator role was assigned to six users who did not require the role to perform their job duties. There was no documented logging or monitoring of the use of this elevated access.
2. Four users were not removed from the system within two weeks after separating employment.
Details of this issue have been provided to the BWDA and the EBR Delivery Center for their information and corrective action.
Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book).
Green Book Principle 11 – Design Activities for the Information System, states in part:
o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error.
o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity.
Finding 2024 –¬ 012: (continued)
Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part:
• Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account.
Governor’s Office Executive Order 2016-06 Enterprise Information Technology Governance, amended October 27, 2020, establishes responsibility for all information technology (IT) services in the Commonwealth to the Office of Administration, Office for Information Technology (OA-OIT). Section 1 states:
• Powers and Duties. The Governor’s Office of Administration, Office for Information Technology… (“OA/OIT”) led by the Commonwealth Chief Information Officer (“Commonwealth CIO”), has overall responsibility for the management and operation of IT services for all executive agencies under the Governor’s jurisdiction….
A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent.
Cause: Under Executive Order 2016-06, OA-OIT is responsible for management and operation of IT services for all executive agencies under the Governor’s jurisdiction. In practice, however, L&I, BWDA has taken responsibility for the following functions in local offices across Pennsylvania: 1) adding new local office users to the application; 2) performing periodic access reviews of the appropriateness of access to the application at the local level; and 3) removing terminated local users from the application.
BWDA management approved an inappropriate application administrator role at the local offices because established procedures did not adequately describe appropriate application administrator roles that can be assigned to non-Commonwealth staff or adequately describe accurate assignment and approval of these roles. Additionally, user access request forms were designed inadequately. Some user access request forms explicitly stated that the role should only be assigned to Commonwealth staff, while other forms did not. Central staff periodic access reviews of local users also failed to identify these inappropriate roles because central staff reviewers only confirmed that the users were still employed, and did not verify that their level of access was appropriate. Further, the annual periodic access review was not documented for review or audit purposes. Central Staff removed the inappropriate roles from the users’ profiles after the audit period once the auditors pointed out the issue.
Established policy and procedures to disable separated users were not followed, which required either the local office system administrator or a central office administrator to submit a request to the L&I resource account no later than the employees last day of work, or the first business day after. One user that was not removed timely after separation had left employment over four years ago. The three other users had separated employment approximately six to seven months ago. Furthermore, the annual periodic access reviews failed to identify these separated users.
Effect: Inappropriate privileged access and untimely removal of terminated users contributes to the risk that system actions can occur that are not in accordance with management’s intent. Further, without properly functioning controls over terminated users and privileged access, management is precluded from reliance on computer controls in these agencies.
Recommendation: We recommend that BWDA management:
• Update the user access request form to clarify which privileged roles may be assigned to application users;
• Revise policies and procedures for the creation of accounts and assignment of roles to non-Commonwealth users in accordance with the policy for least privilege;
Finding 2024 –¬ 012: (continued)
• Document the annual periodic access reviews of local privileged users to ensure that central staff confirm appropriate role assignments and retain for audit purposes;
• Implement stronger controls to improve timely notifications of user separations; and
• Provide training to personnel on creation of accounts, assignment of administrator roles, and timely notification of user separations.
Agency Response: As previously communicated to the auditors, Bureau of Workforce Partnership & Operations (BWPO) acknowledges and accepts the six non-state users receiving the administrator role in error.
BWPO accepts and acknowledges the four User Accounts which were not deactivated timely. One instance was a failure of Local Office staff to notify of a staff separation with the other three being staff members from the Apprenticeship and Training Office (ATO) who separated from that Bureau without the Customer Service Unit being notified.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 010:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Work Registration Requirement
Federal Grant Number(s) and Year(s): C101064 (7/01/2023 - 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Eligibility
Condition: The Pennsylvania Department of Labor and Industry (L&I) administers and monitors federal Unemployment Insurance (UI) funds to provide benefits for unemployed workers for periods of involuntary unemployment. L&I is responsible for establishing policy and procedure to comply with the requirements of federal UI laws including collecting UI contributions, determining claimant eligibility, and making UI benefit payments. L&I uses Pennsylvania CareerLink and the Unemployment Compensation Benefits System to aid in making eligibility determinations pursuant federal requirements.
During the fiscal year ended June 30, 2024, testing revealed a claimant that was a union employee and claimed and received benefits was erroneously exempted from the work registration requirement. The work registration requirement is a condition of eligibility to receive benefits. L&I indicated that a programmatic error within the Unemployment Compensation Benefits System, which crossmatches against the Commonwealth Workforce Development System (CWDS), was not recognizing the workers with a union status as being required to register. Therefore, when the information came back from CWDS that claimants were not registered, the system incorrectly categorized these claimants as exempt.
L&I performed an analysis to determine the potential number of union claimants that were erroneously exempt from the work registration requirement. After analyzing the data, L&I developed an estimate of possible overpayments to include 3,481 claimants totaling $22.5 million. The estimated numbers represent the maximum possible error and would require further investigation at the individual claimant level to specifically determine actual overpayments. L&I indicated that due to this being a programmatic error, not due to claimants’ action or inaction, in consultation with legal counsel, L&I elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants. L&I acknowledged the programmatic issue prevented these individuals from knowing they would otherwise be denied for not registering. Furthermore, L&I stated it would be oppressive to inform the individuals now of requirements that needed to be met at the time of application, as well as burden them with unexpected overpayments.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Finding 2024 –¬ 010: (continued)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the UI program, Eligibility, states:
Regular Unemployment Compensation Program – Under state UC laws, a worker’s benefit rights depend on the amount of the worker’s wages and/or weeks of work in covered employment in a “base period.” While most states define the base period as the first four of the last five completed calendar quarters prior to the filing of the claim, other base periods may be used. To qualify for benefits, a claimant must have earned a certain number of wages or have worked a certain number of weeks or calendar quarters within the base period or meet some combination of wage and employment requirements. Some states require a waiting period of one week of total or partial unemployment before UC is payable. A “waiting period” is a non-compensable period of unemployment in which the worker is otherwise eligible for benefits.
To be eligible to receive UC, all states provide that a claimant must have been separated from suitable work for non-disqualifying reasons under state law (i.e., not because of such acts as leaving voluntarily without good cause or discharge for misconduct connected with work). After separation, they must be able and available for work, actively seeking work, legally authorized to work in the United States and must not have refused an offer of suitable work.
Pennsylvania UC Law booklet, states:
ARTICLE IV COMPENSATION Section 401.
Qualifications Required to Secure Compensation.—
Compensation shall be payable to any employe who is or becomes unemployed, and who—
(a) Satisfies both of the following requirements: (1) Has, within his base year, been paid wages for employment as required by section 404(c) of this act. (2) Except as provided in section 404(a)(3) and (e)(2)(v), not less than thirty-seven per centum (37%) of the employe's total base year wages have been paid in one or more quarters, other than the highest quarter in such employe's base year. ((2) amended June 30, 2021, P.L.173, No.30) ((a) amended Nov. 3, 2016, P.L.1100, No.144) (b) (1) Is making an active search for suitable employment. The requirements for "active search" shall be established by the department and shall include, at a minimum, all of the following: 106 PENNSYLVANIA UNEMPLOYMENT COMPENSATION LAW (i) Registration by a claimant for employment search services offered by the Pennsylvania CareerLink system or its successor agency within thirty (30) days after initial application for benefits. (ii) Posting a resume on the system's database, unless the claimant is seeking work in an employment sector in which resumes are not commonly used. (iii) Applying for positions that offer employment and wages similar to those the claimant had prior to his unemployment and which are within a forty-five (45) minute commuting distance.
Cause: A programmatic error within the Unemployment Compensation Benefits System erroneously exempted claimants with a union status from the work registration requirement.
Effect: Claimants with union status that were exempted from the work registration eligibility requirement possibly received UI benefit payments without meeting all the eligibility requirements, resulting in disallowed benefit payments. As indicated above in the condition, L&I has elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants.
Recommendation: We recommend that L&I strengthen policies and procedures to prevent and detect errors that could result in improper benefit payments.
Finding 2024 –¬ 010: (continued)
Agency Response: L&I agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 011:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Reemployment Services and Eligibility Assessments Program
Federal Grant Number(s) and Year(s): C10164 (7/01/2023 – 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Special Tests and Provisions related to Unemployment Insurance (UI) Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA)
Condition: During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) was required to administer reemployment services for the Unemployment Insurance (UI) program. The Commonwealth of Pennsylvania elected to operate the Reemployment Services and Eligibility Assessments (RESEA) program to satisfy the Worker Profiling and Reemployment Services (WPRS) federal mandate which was permitted by federal requirements.
The RESEA program enables claimants who are most likely to exhaust their benefits to access services that assist them to return to work or provide assistance in areas such as job search or placement, job markets, and testing. Claimant participants work with a case administrator (administrator) throughout the program, and the administrators are supervised by a case manager. L&I’s program procedures are outlined in the Labor and Industry RESEA Manual which details claimant selection, eligibility, and the intervention process performed by the administrator to assist participating claimants.
The Commonwealth of Pennsylvania’s RESEA program uses a comprehensive checklist from the RESEA Manual to ensure that all elements of the program are being satisfied for each case. To test the RESEA requirements for the fiscal year ending June 30, 2024, a sample of 40 out of 22,774 claimant cases that completed the program during that time period was selected for testing. No noncompliance was identified. However, we were unable to test the operating effectiveness of certain internal control procedures at the case level, since supporting documentation for checklists was not maintained for eight of the 40 cases tested.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management Directive 325.12 Standards for Internal Control for Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book), published in September 2014. The Green Book states in part:
Finding 2024 –¬ 011: (continued)
Management should design control activities to achieve objectives and respond to risks.
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: According to L&I management, the checklist was mandatory for use by the administrators. L&I indicated that the eight checklists which were unavailable to be reviewed were lost due to moving locations.
Effect: The lack of adequate internal controls over compliance in the RESEA program could result in improper identification of claimants and insufficient services resulting in federal noncompliance. Although noncompliance was not identified by our audit procedures, fully operational controls would enable case administrators and managers to ensure compliance with program requirements and to timely prevent and detect instances of noncompliance.
Recommendation: We recommend that L&I management ensure the use of the checklist to strengthen internal controls and to ensure verification of all elements of the RESEA program are occurring, accurate, and complete. Also, L&I management should ensure that proper documentation of the use of these tools is maintained.
Agency Response: L&I is in agreement with the recommendations and will ensure that the checklist will be completed for all RESEA recipients. Management will ensure that proper documentation of this tool is maintained.
1. Yearly RESEA case file reviews will be conducted by the Bureau of Workforce Partnership & Operations (BWPO) Central office staff.
2. Quarterly meetings with local office staff to reinforce the importance of utilizing the checklist.
Questioned Costs: None
Department of Labor and Industry
Finding 2024 –¬ 010:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Work Registration Requirement
Federal Grant Number(s) and Year(s): C101064 (7/01/2023 - 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Eligibility
Condition: The Pennsylvania Department of Labor and Industry (L&I) administers and monitors federal Unemployment Insurance (UI) funds to provide benefits for unemployed workers for periods of involuntary unemployment. L&I is responsible for establishing policy and procedure to comply with the requirements of federal UI laws including collecting UI contributions, determining claimant eligibility, and making UI benefit payments. L&I uses Pennsylvania CareerLink and the Unemployment Compensation Benefits System to aid in making eligibility determinations pursuant federal requirements.
During the fiscal year ended June 30, 2024, testing revealed a claimant that was a union employee and claimed and received benefits was erroneously exempted from the work registration requirement. The work registration requirement is a condition of eligibility to receive benefits. L&I indicated that a programmatic error within the Unemployment Compensation Benefits System, which crossmatches against the Commonwealth Workforce Development System (CWDS), was not recognizing the workers with a union status as being required to register. Therefore, when the information came back from CWDS that claimants were not registered, the system incorrectly categorized these claimants as exempt.
L&I performed an analysis to determine the potential number of union claimants that were erroneously exempt from the work registration requirement. After analyzing the data, L&I developed an estimate of possible overpayments to include 3,481 claimants totaling $22.5 million. The estimated numbers represent the maximum possible error and would require further investigation at the individual claimant level to specifically determine actual overpayments. L&I indicated that due to this being a programmatic error, not due to claimants’ action or inaction, in consultation with legal counsel, L&I elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants. L&I acknowledged the programmatic issue prevented these individuals from knowing they would otherwise be denied for not registering. Furthermore, L&I stated it would be oppressive to inform the individuals now of requirements that needed to be met at the time of application, as well as burden them with unexpected overpayments.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations
of the Treadway Commission (COSO).
Finding 2024 –¬ 010: (continued)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the UI program, Eligibility, states:
Regular Unemployment Compensation Program – Under state UC laws, a worker’s benefit rights depend on the amount of the worker’s wages and/or weeks of work in covered employment in a “base period.” While most states define the base period as the first four of the last five completed calendar quarters prior to the filing of the claim, other base periods may be used. To qualify for benefits, a claimant must have earned a certain number of wages or have worked a certain number of weeks or calendar quarters within the base period or meet some combination of wage and employment requirements. Some states require a waiting period of one week of total or partial unemployment before UC is payable. A “waiting period” is a non-compensable period of unemployment in which the worker is otherwise eligible for benefits.
To be eligible to receive UC, all states provide that a claimant must have been separated from suitable work for non-disqualifying reasons under state law (i.e., not because of such acts as leaving voluntarily without good cause or discharge for misconduct connected with work). After separation, they must be able and available for work, actively seeking work, legally authorized to work in the United States and must not have refused an offer of suitable work.
Pennsylvania UC Law booklet, states:
ARTICLE IV COMPENSATION Section 401.
Qualifications Required to Secure Compensation.—
Compensation shall be payable to any employe who is or becomes unemployed, and who—
(a) Satisfies both of the following requirements: (1) Has, within his base year, been paid wages for employment as required by section 404(c) of this act. (2) Except as provided in section 404(a)(3) and (e)(2)(v), not less than thirty-seven per centum (37%) of the employe's total base year wages have been paid in one or more quarters, other than the highest quarter in such employe's base year. ((2) amended June 30, 2021, P.L.173, No.30) ((a) amended Nov. 3, 2016, P.L.1100, No.144) (b) (1) Is making an active search for suitable employment. The requirements for "active search" shall be established by the department and shall include, at a minimum, all of the following: 106 PENNSYLVANIA UNEMPLOYMENT COMPENSATION LAW (i) Registration by a claimant for employment search services offered by the Pennsylvania CareerLink system or its successor agency within thirty (30) days after initial application for benefits. (ii) Posting a resume on the system's database, unless the claimant is seeking work in an employment sector in which resumes are not commonly used. (iii) Applying for positions that offer employment and wages similar to those the claimant had prior to his unemployment and which are within a forty-five (45) minute commuting distance.
Cause: A programmatic error within the Unemployment Compensation Benefits System erroneously exempted claimants with a union status from the work registration requirement.
Effect: Claimants with union status that were exempted from the work registration eligibility requirement possibly received UI benefit payments without meeting all the eligibility requirements, resulting in disallowed benefit payments. As indicated above in the condition, L&I has elected to invoke the Secretary’s right to retroactively waive the registration requirement for these claimants.
Recommendation: We recommend that L&I strengthen policies and procedures to prevent and detect errors that could result in improper benefit payments.
Finding 2024 –¬ 010: (continued)
Agency Response: L&I agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry
Finding 2024 –¬ 011:
ALN 17.225 – Unemployment Insurance (including COVID-19)
A Significant Deficiency Exists at the Department of Labor and Industry Related to the Reemployment Services and Eligibility Assessments Program
Federal Grant Number(s) and Year(s): C10164 (7/01/2023 – 6/30/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance
Compliance Requirement: Special Tests and Provisions related to Unemployment Insurance (UI) Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA)
Condition: During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) was required to administer reemployment services for the Unemployment Insurance (UI) program. The Commonwealth of Pennsylvania elected to operate the Reemployment Services and Eligibility Assessments (RESEA) program to satisfy the Worker Profiling and Reemployment Services (WPRS) federal mandate which was permitted by federal requirements.
The RESEA program enables claimants who are most likely to exhaust their benefits to access services that assist them to return to work or provide assistance in areas such as job search or placement, job markets, and testing. Claimant participants work with a case administrator (administrator) throughout the program, and the administrators are supervised by a case manager. L&I’s program procedures are outlined in the Labor and Industry RESEA Manual which details claimant selection, eligibility, and the intervention process performed by the administrator to assist participating claimants.
The Commonwealth of Pennsylvania’s RESEA program uses a comprehensive checklist from the RESEA Manual to ensure that all elements of the program are being satisfied for each case. To test the RESEA requirements for the fiscal year ending June 30, 2024, a sample of 40 out of 22,774 claimant cases that completed the program during that time period was selected for testing. No noncompliance was identified. However, we were unable to test the operating effectiveness of certain internal control procedures at the case level, since supporting documentation for checklists was not maintained for eight of the 40 cases tested.
Criteria: 2 CFR Section 200.303, Internal controls, states:
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management Directive 325.12 Standards for Internal Control for Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book), published in September 2014. The Green Book states in part:
Finding 2024 –¬ 011: (continued)
Management should design control activities to achieve objectives and respond to risks.
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: According to L&I management, the checklist was mandatory for use by the administrators. L&I indicated that the eight checklists which were unavailable to be reviewed were lost due to moving locations.
Effect: The lack of adequate internal controls over compliance in the RESEA program could result in improper identification of claimants and insufficient services resulting in federal noncompliance. Although noncompliance was not identified by our audit procedures, fully operational controls would enable case administrators and managers to ensure compliance with program requirements and to timely prevent and detect instances of noncompliance.
Recommendation: We recommend that L&I management ensure the use of the checklist to strengthen internal controls and to ensure verification of all elements of the RESEA program are occurring, accurate, and complete. Also, L&I management should ensure that proper documentation of the use of these tools is maintained.
Agency Response: L&I is in agreement with the recommendations and will ensure that the checklist will be completed for all RESEA recipients. Management will ensure that proper documentation of this tool is maintained.
1. Yearly RESEA case file reviews will be conducted by the Bureau of Workforce Partnership & Operations (BWPO) Central office staff.
2. Quarterly meetings with local office staff to reinforce the importance of utilizing the checklist.
Questioned Costs: None
Office of Budget Operations
Finding 2024 – 013:
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
A Significant Deficiency and Noncompliance Exist at the Office of Budget Operations Related to the Quarterly Project and Expenditure Report (A Similar Condition Was Noted in Prior Year Finding 2023-020)
Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 – 12/31/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Reporting
Condition: Two of four quarterly Project and Expenditure Reports were selected for testing. The Office of Budget Operations (OBO) reported incomplete capital project information in these quarterly reports. Specifically, the following exceptions were noted:
• A project’s description allows capital expenditures by subrecipients, but OBO has reported it as a non-capital project on both the 9/30/2023 and 3/31/2024 quarterly Project and Expenditure reports. In addition, the Pennsylvania Emergency Management Agency (PEMA) did not require the subrecipients receiving funding under this project to report their capital expenditures to PEMA. Therefore, OBO is unable to determine the amount of capital expenditures obligated and expended for this project for the quarters tested.
• A capital project in excess of $10 million was reported as a non-capital project on the 9/30/2023 quarterly report.
• On the 9/30/2023 quarterly report, the project was correctly reported as a capital project and the required written justification was included, however, the justification did not include all required elements.
Criteria: Per the Compliance and Reporting Guidance issued by the U.S. Department of the Treasury, recipients must report if a project includes capital expenditures, the type of capital expenditure, and the amount of capital expenditures obligated and expended.
Per 31 CFR §35.6(b)(4), a recipient, other than a Tribal government, must prepare written justifications for capital projects with capital expenditures enumerated by Treasury in the final rule and with total capital expenditures greater than $10 million.
Such written justifications must include the following elements:
(i) Describe the harm or need to be addressed;
(ii) Explain why a capital expenditure is appropriate; and
(iii) Compare the proposed capital expenditure to at least two alternative capital expenditures and demonstrate why the proposed capital expenditure is superior.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: PEMA issued subawards to 666 local EMS companies and the subrecipients were allowed to expend the funds on a variety of uses, including capital expenditures. PEMA did not obtain detail of capital expenditures incurred from the subrecipients and was therefore unable to provide the information to OBO for inclusion on the Project and Expenditure Reports.
Finding 2024 – 013: (continued)
The required elements for capital project justifications are summarized on page 4390 of the Final Rule, but they are not mentioned in the Project and Expenditure Report User Guide nor in the Compliance and Reporting Guidance. Therefore, OBO was unaware that it was necessary to include specific elements in the justification.
Effect: OBO did not properly identify and report capital projects. Errors included omitting capital project obligations and expenditures and incomplete justifications for a capital project greater than $10 million.
Recommendation: We recommend that OBO ensures that all capital projects are properly reported and that justifications for capital projects greater than $10 million include all required elements. We further recommend that subrecipients are sufficiently monitored to allow OBO to correctly report capital expenditures obligated and expended.
Agency Response: The Office of Budget Operations, formerly known as the Governor’s Budget Office or GBO, agrees with this finding. Through our Corrective Action Plan, we will document the work we’ve already done to resolve this finding.
Questioned Costs: None
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging
Finding 2024 – 003:
ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19)
A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2023-003)
Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Subrecipient Monitoring
Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2024. The Aging Cluster subrecipients received $71.6 million out of Aging Cluster Program expenditures totaling $75.9 million reported on the Schedule of Expenditures of Federal Awards (SEFA).
Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part:
(a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where:
(1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness.
45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
Finding 2024 – 003: (continued)
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages.
Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements.
Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Agency Response: PDOA agrees with the finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 –¬ 007:
ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2023-012)
Federal Grant Number(s) and Year(s): 231PA405S2514 (10/01/2022 – 9/30/2023), 241PA405S2514 (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirement: Special Tests and Provisions related to EBT Card Security
Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2024, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2024, totaled $99.6 million.
Fourteen of the 88 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at 12 CAO and district locations selected for testing. These exceptions included the following:
1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 1 CAO location);
2) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location);
3) Failure to perform the following:
• Completion of paper Weekly EBT Inventory Log only in circumstances deemed an emergency (1 CAO location);
• Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipment is signed for and the shipping manifest is date stamped (1 CAO location);
• Ensure unusable cards pulled from EBT Card inventory are shredded (1 CAO location);
• Enter EBT card into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location);
• Mail locally created EBT cards directly to customers (1 district office);
• Maintain adequate security of EBT cards (1 CAO location);
• Maintain adequate security of pinning devices (1 CAO location);
• Maintain adequate security of EBT card paper logs (1 CAO location);
Finding 2024 –¬ 007: (continued)
• Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (3 district offices and 2 CAO locations);
• Timely deactivation of user access in the EBT Card Tracking Database (5 CAO locations);
• Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location);
• Timely mail locally created EBT cards on the same day as card creation (1 district office); and
• Timely performance of the EBT Weekly Log Reconciliation and approval on Friday or last workday of the week during holidays (1 CAO location).
Criteria: The 2024 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states:
The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)).
7 CFR Section 274.5, Record retention and forms security, states:
(c) Accountable Documents.
(1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents:
i. Secure storage;
ii. Access limited to authorized personnel;
iii. Bulk inventory control records;
iv. Subsequent control records maintained through the point of issuance or use; and
v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records.
45 CFR Section 75.302 applicable to TANF states:
(b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365):
(4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security.
Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse.
Finding 2024 –¬ 007: (continued)
Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Department of Labor and Industry
Finding 2024 –¬ 009:
ALN 93.558 – Temporary Assistance for Needy Families
Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring and the Department of Labor and Industry Did Not Perform Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-014)
Federal Grant Number(s) and Year(s): 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: During the fiscal year ended June 30, 2024, the Department of Human Services (DHS) paid $83.5 million (or 21.9 percent) in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations out of total federal TANF expenditures of $381.0 million reported on the June 30, 2024 Schedule of Expenditures of Federal Awards (SEFA).
Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2024, disclosed that DHS performed on-site monitoring for 16 out of 16 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, and case management analysis. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 16 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings.
Our testing also included follow-up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2024. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $500 thousand of TANF funds during the fiscal year ended June 30, 2024.
During the fiscal year ended June 30, 2024, the Department of Labor and Industry (L&I) paid $27.1 million in TANF funding to subrecipients within the Youth Employment and Training (E&T) appropriation (or 7.1 percent) out of total federal TANF expenditures of $381.0 million reported on the June 30, 2024 SEFA.
Our testing of L&I’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2024, disclosed that L&I did not perform on-site monitoring or desk reviews for seven out of seven subrecipients selected for testing.
Finding 2024 –¬ 009: (continued)
Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision].
2 CFR Section 200.332, Requirements for pass-through entities, states in part:
A pass-through entity must:
(f) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (c) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters;
(2) Performing site visits to review the subrecipient's program operations; and
(3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services].
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: DHS considered how financial monitoring might be incorporated into on-site monitoring procedures, but updated procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2024. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. L&I recognized the need to perform during-the-award monitoring procedures for TANF funds passed through for the Youth E&T program, but the updated procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2024.
Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS and L&I management.
Recommendation: DHS and L&I should strengthen controls to ensure during-the-award monitoring is being performed for all TANF subrecipients and that the monitoring includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS and L&I subrecipients.
Finding 2024 –¬ 009: (continued)
DHS Response: DHS agrees with this finding.
L&I Response: L&I concurs with this finding. TANF Youth Development Program (TANF YDP) operations transitioned from the Bureau of Workforce Development Administration (BWDA) to the Bureau of Workforce Partnerships and Operations (BWPO) in January 2023. Due to this transition, BWPO did not conduct on site monitoring of the TANF YDP program in program year 2023. BWPO did begin on site monitoring in program year 2024 on a limited basis as a pilot with 3 local areas in September of 2024. BWPO plans to expand monitoring efforts in 2025.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services
Finding 2024 – 008:
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Department of Human Services’ Program Monitoring of the Social Services Block Grant Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2023-015)
Federal Grant Number(s) and Year(s): 2401PASOSR (10/01/2023 – 9/30/2025), 2301PASOSR (10/01/2022 – 9/30/2024)
Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance
Compliance Requirements: Cash Management, Subrecipient Monitoring
Condition: Our examination of the Department of Human Services’ (DHS) procedures for monitoring Social Services Block Grant (SSBG) subrecipients revealed that DHS did not adequately monitor the SSBG Mental Health, Homeless Services, and Child Welfare subrecipients to ensure that SSBG awards are used in compliance with laws and regulations, which include allowable costs, period of performance, and other requirements. DHS program personnel indicated that they performed on-site monitoring of nine subrecipients, however only three reports were issued to the subrecipients. The inadequately monitored subrecipients received $26.6 million (or approximately 29 percent) of total SSBG program expenditures of $91.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). While we did note that DHS adequately monitored three of the 55 Mental Health County/County Joinder subrecipients which included Mental Health, Homeless Services and Child Welfare services, this coverage is not adequate. In addition, our review of the risk assessments completed for all of the aforementioned subrecipients identified several instances where subrecipient monitoring was warranted but was not conducted.
In addition, for the compliance requirement related to cash management, we noted that DHS advanced funds to SSBG subrecipients in four of nine program areas, representing $34.0 million (or approximately 37 percent) of SSBG program expenditures, without adequately monitoring the reasonableness of the subrecipient cash balances. In particular, for the program areas related to Mental Health, Intellectual Disabilities, Homeless Services, and Child Welfare, DHS advanced funds to subrecipients on a quarterly basis. Our inquiries with applicable DHS program administrators disclosed that DHS did not adequately monitor the four program areas’ subrecipients for cash management compliance either at the time of payment or at any other time during the fiscal year ended June 30, 2024.
Furthermore, while Single Audits of SSBG subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year.
Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
(1) Reviewing financial and performance reports required by the pass-through entity.
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.
Finding 2024 – 008: (continued)
(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity…
(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Providing subrecipients with training and technical assistance on program-related matters; and
(2) Performing on-site reviews of the subrecipient's program operations;
(3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services).
45 CFR Section 75.305(b)(1), applicable to payments to subrecipients, states in part:
…Advance payments to a non-Federal entity must be limited to the minimum amounts needed and be timed to be in accordance with the actual, immediate cash requirements of the non-Federal entity in carrying out the purpose of the approved program or project. The timing and amount of advance payments must be as close as is administratively feasible to the actual disbursements by the non-Federal entity for direct program or project costs and the proportionate share of any allowable indirect costs. The non-Federal entity must make timely payment to contractors in accordance with the contract provisions.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: DHS management indicated that risk assessment and monitoring documents were created for use during on-site monitoring of SSBG subrecipients. However, due to staffing issues, on-site monitoring was not performed for all SSBG subrecipients.
Consistent with prior year audits, DHS management noted that there have been no changes to the payment methodology for the Homeless Services, Mental Health, Intellectual Disabilities, and Child Welfare components of SSBG. These programs provide subrecipients with advances to comply with Commonwealth law and also to ensure that adequate funds are available to provide services to participants on a timely basis. DHS officials believe that their in-house payment review procedures for the SSBG program are as efficient as administratively feasible and that controls exist in each of the program areas. Without on-site program monitoring visits by funding agency officials, we consider DHS’s limited in-house reviews of subrecipient status reports or other documents to be insufficient to detect potential subrecipient noncompliance, including excess cash violations. DHS does not adjust payments to the subrecipients based on in-house reviews.
Effect: Since DHS does not adequately perform during-the-award monitoring of subrecipients, including the monitoring of subrecipient cash on hand, subrecipients may not be complying with applicable grant requirements and federal regulations, including cash management standards.
Recommendation: DHS should perform risk based during-the-award monitoring procedures for all SSBG subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations.
Finding 2024 – 008: (continued)
As recommended in previous Single Audits and supported by the United States Department of Health and Human Services, DHS should either consider changing their current subrecipient payment procedures from advancement basis to reimbursement basis or establish procedures to adequately monitor subrecipient cash on hand to ensure it is limited to immediate needs, but no longer than one month. The implementation and strengthening of these controls should provide DHS with reasonable assurance as to compliance with cash management requirements at the subrecipient level.
Agency Response: DHS agrees with this finding.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 ¬– 015:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 15.252 – Abandoned Mine Land Reclamation (AMLR)
ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds
ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund
ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund
ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program
ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER
ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program
ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024)
Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant
Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster
Compliance Requirement: Subrecipient Monitoring
Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance
Finding 2024 ¬– 015: (continued)
audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary.
Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies.
Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports:
• Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit.
• Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings.
• Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely.
• Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date.
• Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date.
Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:
Finding 2024 ¬– 015: (continued)
(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.
(3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision].
(f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements].
(g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records.
(h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations.
In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures.
2 CFR §200.512, Report submission, states in part:
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
2 CFR §200.521, Management decision, states in part:
(a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action.
(d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
2 CFR §200.505, Sanctions, states:
In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance].
2 CFR §200.339, Remedies for noncompliance, states in part:
If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances.
Finding 2024 ¬– 015: (continued)
(a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity.
(b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.
(c) Wholly or partly suspend or terminate the Federal award.
(d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency).
(e) Withhold further Federal awards for the project or program.
(f) Take other remedies that may be legally available.
To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part:
(a) Agencies must develop and implement remedial action that reflects the unique requirements of each program…
(b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to:
(1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program.
(2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to:
(a) Communicate regarding the audit.
(b) Arrange for and oversee the audit.
(c) Direct and monitor audit resolution.
(3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance.
(4) Withholding a portion of assistance payments until the noncompliance is resolved.
(5) Withholding or disallowing overhead costs until the noncompliance is resolved.
(6) Suspending the assistance agreement until the noncompliance is resolved.
(7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program.
Finding 2024 ¬– 015: (continued)
Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part:
c. Agencies.
(2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan.
(5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings.
(6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F.
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis.
Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely.
Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely.
Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required.
Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements.
PDOA Response: PDOA agrees with the finding.
PDA Response: PDA agrees with the finding.
PDE Response: PDE agrees with the finding.
DEP Response: DEP agrees with the finding.
Finding 2024 ¬– 015: (continued)
DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding.
Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding.
DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated.
Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies
Finding 2024 –¬ 014:
ALN 10.565, 10.568, 10.569 – Food Distribution Cluster
ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19)
ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases
(including COVID-19)
ALN 93.558 – Temporary Assistance for Needy Families
ALN 93.667 – Social Services Block Grant
ALN 93.788 – Opioid STR
State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023)
Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024)
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Compliance Requirement: Subrecipient Monitoring
Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance.
Finding 2024 –¬ 014: (continued)
SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE
(The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.)
Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part:
All pass-through entities must:
(a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
Finding 2024 –¬ 014: (continued)
(1) Federal Award Identification.
(iii) Federal Award Identification Number (FAIN);
(iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency;
(v) Subaward Period of Performance Start and End Date;
(viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation;
(ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity;
(xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity;
(xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement;
(6) Appropriate terms and conditions concerning closeout of the subaward.
(b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient’s prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency)
Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part:
Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed.
Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance.
Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner.
Finding 2024 –¬ 014: (continued)
Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward.
DHS Response: DHS agrees with the finding.
DOH Response: DOH agrees with the finding.
PDA Response: PDA agrees with the finding.
PDOA Response: PDOA agrees with the finding.
DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations.
L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents.
Questioned Costs: The amount of questioned costs cannot be determined.