Audit 347007

Finding 2024-001 Payment to fraudulent subrecipient account - cyber incident Repeat Finding No Federal Program Title U.S. Department of Health and Human Services 93.600 Head Start Award # 05CH012065-02-00 Award Year 9/1/2022 – 8/31/2023 Finding In connection with a cyber incident at a subrecipient, Chicago Commons Association (Commons) sent two federal fund payments to a fraudulent party acting as the subrecipient. Criteria 2 CFR 200.305 (b) describes federal payments for recipients and subrecipients other than states, whether the payment is made by electronic funds transfer or by other means. Per 2 CFR 200.516(a), the auditor must report as an audit finding various items including known or likely fraud affecting a federal award. Audit finding detail and clarity is described in the next section, 2 CFR 200.516(b), which requires specific information to be included such as “(3) The condition found, including facts that support the deficiency found in the audit finding.” Condition The design and execution of certain internal controls were not successful in preventing or detecting Commons’ payments to a bank account controlled by a fraudulent party posing as a subrecipient. This resulted from a scheme related to a cyber incident at the subrecipient. Gads Hill Center (GHC), a nonprofit after-school program located in Chicago and a subrecipient/delegate agency of Commons, was victim to a cyber incident whereby a fraudulent party was able to take control of GHC’s email and telephone systems. This fraudulent party then contacted Commons AP manager via email on August 7, 2023, posing as the GHC Chief Financial Officer. Through email communications with the Commons AP manager and VP of Finance, this fraudulent party submitted updated banking/ACH information for GHC to change their ACH information from Fifth Third Bank (the valid GHC bank account) to Truist Bank (the fraudulent party’s bank account). An email was sent from the Commons AP manager to the Commons VP of Finance to have the information updated in the system. Commons’ policies require that a request received for this type of change to be substantiated through a direct phone call to the subrecipient. The Commons AP manager called the GHC CFO (the number used was Pilsen location shown on the GHC website) but the call went unanswered (and voicemail was full). The AP manager and GHC CFO scheduled a call for the next week and the AP manager received a phone call from an identical phone number from an individual who identified himself as the GHC CFO, and completed the verification process. New banking information was then entered and approved in Commons’ primary banking partner’s system (US Bank). These emails and calls happened between August 7 and August 15, 2023. Commons received a voucher from GHC and made a $70,121.99 payment to Truist Bank on August 17, using the updated ACH information. The primary banking partner of Commons flagged this payment as potentially fraudulent because the name on the ACH payment did not match the name listed on the bank account, and contacted Commons. Commons communicated that the banking information was correct, and the payment was then released on August 22. Another GHC-submitted voucher was received, and $640,318.83 was also paid to Truist Bank on August 24, 2023. The payments were not received by GHC. GHC subsequently contacted Commons to follow up about the status of the payments due and through the ensuing discussion the payments to the fraudulent Truist Bank account were ultimately discovered. The two submitted vouchers for expenses incurred by GHC were valid, in connection with program services performed by GHC. Commons reviewed, approved and submitted the two vouchers to the U.S. Department of Health and Human Services (the funder) for reimbursement. The funder approved the expenses, funds were released to Commons and then disbursed by Commons to the Truist Bank account which management believed belonged to GHC. Commons recorded and reported revenue and expense (payment to subrecipient) for the amounts of the vouchers received and paid. Because GHC incurred the expenses but never received the reimbursement funds, GHC absorbed the loss. Cause Commons personnel had followed established processes and internal controls as intended. However, the design and execution of the controls were not successful in preventing or detecting payments to a fraudulent account. Management believes the sophistication of the fraud scheme exceeded the effectiveness of the controls. Effect The change in ACH information resulted in two Commons’ payments of federal funds totaling $710,440.82 made to a bank account controlled by the fraudulent party acting as the subrecipient. Context Chicago Commons made us aware of this matter which appears to be an isolated incident for the year ended June 30, 2024. Questioned Costs There were no known questioned costs. Recommendation We recommend that Commons strengthens its internal controls in verifying a requested bank account change. For example, the procedure can include a requirement for the phone call to be made by an individual at Commons with personal knowledge and familiarity with a specific individual at the organization requesting the change. Views of Responsible Officials Management is in agreement with this finding. See corrective action plan.

Finding 2024-001 Payment to fraudulent subrecipient account - cyber incident Repeat Finding No Federal Program Title U.S. Department of Health and Human Services 93.600 Head Start Award # 05CH012065-02-00 Award Year 9/1/2022 – 8/31/2023 Finding In connection with a cyber incident at a subrecipient, Chicago Commons Association (Commons) sent two federal fund payments to a fraudulent party acting as the subrecipient. Criteria 2 CFR 200.305 (b) describes federal payments for recipients and subrecipients other than states, whether the payment is made by electronic funds transfer or by other means. Per 2 CFR 200.516(a), the auditor must report as an audit finding various items including known or likely fraud affecting a federal award. Audit finding detail and clarity is described in the next section, 2 CFR 200.516(b), which requires specific information to be included such as “(3) The condition found, including facts that support the deficiency found in the audit finding.” Condition The design and execution of certain internal controls were not successful in preventing or detecting Commons’ payments to a bank account controlled by a fraudulent party posing as a subrecipient. This resulted from a scheme related to a cyber incident at the subrecipient. Gads Hill Center (GHC), a nonprofit after-school program located in Chicago and a subrecipient/delegate agency of Commons, was victim to a cyber incident whereby a fraudulent party was able to take control of GHC’s email and telephone systems. This fraudulent party then contacted Commons AP manager via email on August 7, 2023, posing as the GHC Chief Financial Officer. Through email communications with the Commons AP manager and VP of Finance, this fraudulent party submitted updated banking/ACH information for GHC to change their ACH information from Fifth Third Bank (the valid GHC bank account) to Truist Bank (the fraudulent party’s bank account). An email was sent from the Commons AP manager to the Commons VP of Finance to have the information updated in the system. Commons’ policies require that a request received for this type of change to be substantiated through a direct phone call to the subrecipient. The Commons AP manager called the GHC CFO (the number used was Pilsen location shown on the GHC website) but the call went unanswered (and voicemail was full). The AP manager and GHC CFO scheduled a call for the next week and the AP manager received a phone call from an identical phone number from an individual who identified himself as the GHC CFO, and completed the verification process. New banking information was then entered and approved in Commons’ primary banking partner’s system (US Bank). These emails and calls happened between August 7 and August 15, 2023. Commons received a voucher from GHC and made a $70,121.99 payment to Truist Bank on August 17, using the updated ACH information. The primary banking partner of Commons flagged this payment as potentially fraudulent because the name on the ACH payment did not match the name listed on the bank account, and contacted Commons. Commons communicated that the banking information was correct, and the payment was then released on August 22. Another GHC-submitted voucher was received, and $640,318.83 was also paid to Truist Bank on August 24, 2023. The payments were not received by GHC. GHC subsequently contacted Commons to follow up about the status of the payments due and through the ensuing discussion the payments to the fraudulent Truist Bank account were ultimately discovered. The two submitted vouchers for expenses incurred by GHC were valid, in connection with program services performed by GHC. Commons reviewed, approved and submitted the two vouchers to the U.S. Department of Health and Human Services (the funder) for reimbursement. The funder approved the expenses, funds were released to Commons and then disbursed by Commons to the Truist Bank account which management believed belonged to GHC. Commons recorded and reported revenue and expense (payment to subrecipient) for the amounts of the vouchers received and paid. Because GHC incurred the expenses but never received the reimbursement funds, GHC absorbed the loss. Cause Commons personnel had followed established processes and internal controls as intended. However, the design and execution of the controls were not successful in preventing or detecting payments to a fraudulent account. Management believes the sophistication of the fraud scheme exceeded the effectiveness of the controls. Effect The change in ACH information resulted in two Commons’ payments of federal funds totaling $710,440.82 made to a bank account controlled by the fraudulent party acting as the subrecipient. Context Chicago Commons made us aware of this matter which appears to be an isolated incident for the year ended June 30, 2024. Questioned Costs There were no known questioned costs. Recommendation We recommend that Commons strengthens its internal controls in verifying a requested bank account change. For example, the procedure can include a requirement for the phone call to be made by an individual at Commons with personal knowledge and familiarity with a specific individual at the organization requesting the change. Views of Responsible Officials Management is in agreement with this finding. See corrective action plan.