STATEWIDE CASH MANAGEMENT
Federal Agency: U.S. Department of Treasury (TREAS)
State Fiscal Year: 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Administration (DOA), Office of Accounts and Control (OAC)
Compliance Requirement: Cash Management
CONTROLS OVER CASH MANAGEMENT IMPROVEMENT ACT (CMIA)_INTEREST CALCULATIONS
The State lacks monitoring controls over the calculation of interest due under the CMIA. Errors in the mechanical calculation of interest due were not detected by the State.
Background: Under the Cash Management Improvement Act, the State and U.S. Treasury enter into a Treasury-State Agreement (TSA) on an annual basis. The federal programs covered by the TSA are recalculated annually, based on a threshold using the Schedule of Expenditures of Federal Awards (SEFA) from two fiscal years prior (i.e., the 2024 TSA programs are calculated using the 2022 SEFA).
Criteria: Paragraph 8.6.1 of the State’s 2024 TSA states “The State shall be liable for interest on Federal funds from the date Federal funds are credited to a State account until the date those funds are paid out for program purposes.” Further, paragraph 8.6.2.1 states “To determine the total time Federal funds are held, the State shall measure the time between the date Federal funds are received and credited to a State’s account and the date those funds are debited from the State’s account.”
Condition: In recalculating the programs to be included in the 2024 TSA, we identified 4 new programs that were added from the prior year; all applicable programs were properly included in the fiscal 2024 TSA. However, when reviewing the interest calculations for the programs covered by the 2024 TSA, we noted that one of these new programs was not listed in the supporting worksheet for the interest calculations. In addition, that program, along with another new program in 2024, were not included in the detailed report that supported the calculation of daily cash balances subject to interest.
Cause: Review procedures over the CMIA interest calculation did not ensure that all programs covered by the TSA were properly included in the calculation. Additionally, the underlying report supporting the calculations was not modified to include the additional programs in fiscal 2024.
Effect: Interest liability amounts due to the U.S. Treasury may exist and remain unidentified.
Questioned Costs: $110 (estimated)
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-029 Enhance review procedures to ensure all programs in the TSA are included in the interest calculation on an annual basis. Ensure underlying reports are properly modified, as necessary, to capture data for all programs in the TSA.
STATEWIDE COST ALLOCATION PLAN
Federal Cognizant Agency: U.S. Department of Health and Human Services (HHS)
State Fiscal Year: 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Administration (DOA), Office of Accounts and Control (OAC)
Compliance Requirement: Allowable Costs/Cost Principles
DOCUMENTATION OF FUNDING MECHANISMS WITHIN THE STATEWIDE COST ALLOCATION PLAN
Documentation of the funding mechanism for grants management services within the Statewide Cost Allocation Plan can be improved.
Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State’s statewide cost allocation plan (SWCAP). This plan is submitted annually for approval by the State’s federal cognizant agency, the U.S. Department of Health and Human Services. The SWCAP agreement includes the approval of billed costs, charges for services that are billed in accordance with rates established by the State and approved by the federal government as part of the SWCAP agreement.
Condition: While the costs for statewide grants management services appear to be included in the allocated cost section of the SWCAP, the State is allocating those costs to federal programs based on a “billed” methodology. The methodology for these services assesses departments and agencies based on a two-tiered calculation: first, a per license fee for users of the State’s grants management system, and secondly, an assessment to cover other grants management unit costs applied to the respective departments based on a proportionate share of total federal expenditures, excluding certain programs.
We were unable to determine whether the mechanism used to assess the costs related to statewide grants management services across departments and agencies during fiscal 2024 was in accordance with the approved statewide cost allocation plan.
Cause: The State did not include the grants management services as part of its billed costs in the most recent federally approved SWCAP agreement.
Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-030 Submit cost allocation methodology for grants management services allocated to federal programs as part of billed costs in the statewide cost allocation plan.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Eligibility
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS
Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. System controls to identify applicant noncompliance with work search requirements were also lacking.
Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance (UI) programs and ensure that individuals meet the various program requirements to receive benefits. The current system used by DLT to process UI benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. The State utilizes a “cloud-based” front-end application as the user interface for administering UI benefit applications and to validate applicant identity and prevent program fraud. Upon application completion, required applicant data flows to the UI legacy system for benefit administration. The legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2024, benefit payments exceeded $200 million.
DLT maintains a Benefits Accuracy Measurement (BAM) program as required by federal regulations as a quality control system designed to assess the accuracy of UI benefit payments and denied claims. Using a statistical sampling model, the program estimates error rates (i.e., number of claims improperly paid or denied and the dollar amounts of benefits improperly paid or denied) by projecting the results from payment and denial reviews.
Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with State and federal program requirements. The structure of the federal-state UI program partnership is based on federal statute (20 CFR Chapter V); however, it is implemented through state law.
State responsibilities include: (1) establishing specific, detailed policies and operating procedures which comply with the requirements of federal laws and regulations; (2) determining the state UI tax structure; (3) collecting state UI contributions from employers (commonly called “unemployment taxes”); (4) determining claimant eligibility and disqualification provisions; (5) making payment of UI benefits to claimants; (6) managing the program’s revenue and benefit administrative functions; (7) administering the programs in accordance with established policies and procedures; and (8) enacting state unemployment compensation (UC) law that conforms with federal UC law and that state law and operations substantially comply with federal law.
State UI regulations (RI Code of Regulations) specific to our findings on eligibility include the following:
• Title 260, Chapter 40, Income Support, Subchapter 05 – Unemployment and Temporary Disability Insurance, Section 1.18(F) – “Every claimant shall make such personal efforts to find suitable work as are customarily made by persons in the same occupation or in any other occupation for which the claimant is reasonably suited, commensurate with current economic conditions. These efforts include but are not limited to:
1) Registering for work with the EmployRI,
2) conducting an active, independent work search with at least three (3) work search contacts in each week that benefits are claimed and maintain a written record of the work search,
3) submitting a weekly work search to the department as prescribed by the director and as indicated in the Department of Labor and Training’s guidelines for an active and independent search for work.
4) posting a résumé on the Employment Services’ online job seeker tool kit and inquiring upon any job opportunities presented by the department,
5) completing a skills review or similar activity through Employment Service as prescribed by the Director, and
6) registering on the Virtual Recruiter or similar tool through Employment Service as prescribed by the Director.”
• Section 1.18 (G) – “The Director has discretion in determining whether to require one or all activities identified in §1.18(F)(4), (5), and (6) of this Part.”
Applicants that do not comply with program work search requirements should be referred to DLT’s Central Adjudication Unit.
RI General Law §28-42-68. Recovery of erroneously paid benefits, “(a) Any individual who, by reason of a mistake or misrepresentation made by himself, herself, or another, has received any sum as benefits under chapters 42 - 44 of this title, in any week in which any condition for the receipt of the benefits imposed by those chapters was not fulfilled by him or her, or with respect to any week in which he or she was disqualified from receiving those benefits, shall in the discretion of the director be liable to have that sum deducted from any future benefits payable to him or her under those chapters, or shall be liable to repay to the director for the employment security fund a sum equal to the amount so received, plus, if the benefits were received as a result of misrepresentation or fraud by the recipient, interest on the benefits at the rate set forth in §28-43-15. That sum shall be collectible in the manner provided in §28-43-18 for the collection of past due contributions. All interest received pursuant to this subsection shall be credited to the employment security interest fund created by §28 42 75.”
Condition: While our testing found that UI payments complied with most program eligibility requirements, noncompliance with certain requirements was noted. We tested a random sample of 60 individual benefit payments totaling $24,243 in fiscal 2024. In conjunction with our testing, the following 2 exceptions (3.3% error rate) were deemed to be noncompliance with eligibility requirements resulting in ineligible benefit payments:
• 1 of 60 individuals had a return-to-work date submitted by the employer, however, the claimant received three payments after that date. DLT did not investigate any potential overpayment (questioned costs - $2,139).
• 1 of 60 was not registered within EmployRI and staff were unable to locate any records of the claimant (questioned costs - $10,829).
In conjunction with our testing, we noted a control deficiency relating to the documentation of social security numbers for applicant dependents. In our sample, we noted one case where social security numbers were not included in the UI system for reported dependents. Although DLT was subsequently able to provide documentation of social security numbers for the dependents, the UI system lacks systemic controls to prevent benefit payments when social security numbers are not reported in the case record.
As part of our testing, we evaluated applicant compliance with job search activities (e.g., résumé posting, completing a skills review, registering on the Virtual Recruiter or similar tool) required within UI policies and procedures. Our testing identified the following exceptions relating to applicant job search activity compliance:
• 5 of 60 (8.3%) did not have a résumé. EmployRI sets up the claim with an automated résumé recording all the information that a claimant presents. These five claimants were not compliant with a résumé being posted within the six-week requirement. DLT follow-up indicated that “the system failed to create the system generated résumé” for these applicants.
• 50 of 60 (83.3%) had incomplete résumés in the EmployRI system. Each résumé had completion rates between 20% - 60% and remained offline.
For eligibility purposes, while these exceptions support that controls are lacking over applicant compliance with job search requirements, these exceptions were not considered to represent benefit payments to ineligible applicants since DLT did not identify these cases for adjudication. Our review also noted that certain State UI policies on file with the Secretary of State regarding work search requirements (e.g., submission of weekly work search, résumé posting requirements) were inconsistent with the UI claimant guidance available on the DLT website.
Both our testing results and those reported through the BAM program identified significant noncompliance with UI claimant job search requirements. DLT’s reported BAM program results for the 2023-2024 reporting period cited noncompliance with work search activities in 31% of the cases reviewed.
Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to UI benefit operations. The State’s planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed.
Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration).
Effect: UI benefits paid to individuals who did not comply with program eligibility requirements.
Questioned Costs: $12,968
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-038a Implement compensating controls to identify noncompliance with program requirements.
2024-038b Ensure that ongoing considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements.
2024-038c Ensure that official State UI policies and procedures on file with the Secretary of State relating to work search requirements are consistent with UI claimant guidance available on DLT’s website.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Eligibility
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS
Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. System controls to identify applicant noncompliance with work search requirements were also lacking.
Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance (UI) programs and ensure that individuals meet the various program requirements to receive benefits. The current system used by DLT to process UI benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. The State utilizes a “cloud-based” front-end application as the user interface for administering UI benefit applications and to validate applicant identity and prevent program fraud. Upon application completion, required applicant data flows to the UI legacy system for benefit administration. The legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2024, benefit payments exceeded $200 million.
DLT maintains a Benefits Accuracy Measurement (BAM) program as required by federal regulations as a quality control system designed to assess the accuracy of UI benefit payments and denied claims. Using a statistical sampling model, the program estimates error rates (i.e., number of claims improperly paid or denied and the dollar amounts of benefits improperly paid or denied) by projecting the results from payment and denial reviews.
Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with State and federal program requirements. The structure of the federal-state UI program partnership is based on federal statute (20 CFR Chapter V); however, it is implemented through state law.
State responsibilities include: (1) establishing specific, detailed policies and operating procedures which comply with the requirements of federal laws and regulations; (2) determining the state UI tax structure; (3) collecting state UI contributions from employers (commonly called “unemployment taxes”); (4) determining claimant eligibility and disqualification provisions; (5) making payment of UI benefits to claimants; (6) managing the program’s revenue and benefit administrative functions; (7) administering the programs in accordance with established policies and procedures; and (8) enacting state unemployment compensation (UC) law that conforms with federal UC law and that state law and operations substantially comply with federal law.
State UI regulations (RI Code of Regulations) specific to our findings on eligibility include the following:
• Title 260, Chapter 40, Income Support, Subchapter 05 – Unemployment and Temporary Disability Insurance, Section 1.18(F) – “Every claimant shall make such personal efforts to find suitable work as are customarily made by persons in the same occupation or in any other occupation for which the claimant is reasonably suited, commensurate with current economic conditions. These efforts include but are not limited to:
1) Registering for work with the EmployRI,
2) conducting an active, independent work search with at least three (3) work search contacts in each week that benefits are claimed and maintain a written record of the work search,
3) submitting a weekly work search to the department as prescribed by the director and as indicated in the Department of Labor and Training’s guidelines for an active and independent search for work.
4) posting a résumé on the Employment Services’ online job seeker tool kit and inquiring upon any job opportunities presented by the department,
5) completing a skills review or similar activity through Employment Service as prescribed by the Director, and
6) registering on the Virtual Recruiter or similar tool through Employment Service as prescribed by the Director.”
• Section 1.18 (G) – “The Director has discretion in determining whether to require one or all activities identified in §1.18(F)(4), (5), and (6) of this Part.”
Applicants that do not comply with program work search requirements should be referred to DLT’s Central Adjudication Unit.
RI General Law §28-42-68. Recovery of erroneously paid benefits, “(a) Any individual who, by reason of a mistake or misrepresentation made by himself, herself, or another, has received any sum as benefits under chapters 42 - 44 of this title, in any week in which any condition for the receipt of the benefits imposed by those chapters was not fulfilled by him or her, or with respect to any week in which he or she was disqualified from receiving those benefits, shall in the discretion of the director be liable to have that sum deducted from any future benefits payable to him or her under those chapters, or shall be liable to repay to the director for the employment security fund a sum equal to the amount so received, plus, if the benefits were received as a result of misrepresentation or fraud by the recipient, interest on the benefits at the rate set forth in §28-43-15. That sum shall be collectible in the manner provided in §28-43-18 for the collection of past due contributions. All interest received pursuant to this subsection shall be credited to the employment security interest fund created by §28 42 75.”
Condition: While our testing found that UI payments complied with most program eligibility requirements, noncompliance with certain requirements was noted. We tested a random sample of 60 individual benefit payments totaling $24,243 in fiscal 2024. In conjunction with our testing, the following 2 exceptions (3.3% error rate) were deemed to be noncompliance with eligibility requirements resulting in ineligible benefit payments:
• 1 of 60 individuals had a return-to-work date submitted by the employer, however, the claimant received three payments after that date. DLT did not investigate any potential overpayment (questioned costs - $2,139).
• 1 of 60 was not registered within EmployRI and staff were unable to locate any records of the claimant (questioned costs - $10,829).
In conjunction with our testing, we noted a control deficiency relating to the documentation of social security numbers for applicant dependents. In our sample, we noted one case where social security numbers were not included in the UI system for reported dependents. Although DLT was subsequently able to provide documentation of social security numbers for the dependents, the UI system lacks systemic controls to prevent benefit payments when social security numbers are not reported in the case record.
As part of our testing, we evaluated applicant compliance with job search activities (e.g., résumé posting, completing a skills review, registering on the Virtual Recruiter or similar tool) required within UI policies and procedures. Our testing identified the following exceptions relating to applicant job search activity compliance:
• 5 of 60 (8.3%) did not have a résumé. EmployRI sets up the claim with an automated résumé recording all the information that a claimant presents. These five claimants were not compliant with a résumé being posted within the six-week requirement. DLT follow-up indicated that “the system failed to create the system generated résumé” for these applicants.
• 50 of 60 (83.3%) had incomplete résumés in the EmployRI system. Each résumé had completion rates between 20% - 60% and remained offline.
For eligibility purposes, while these exceptions support that controls are lacking over applicant compliance with job search requirements, these exceptions were not considered to represent benefit payments to ineligible applicants since DLT did not identify these cases for adjudication. Our review also noted that certain State UI policies on file with the Secretary of State regarding work search requirements (e.g., submission of weekly work search, résumé posting requirements) were inconsistent with the UI claimant guidance available on the DLT website.
Both our testing results and those reported through the BAM program identified significant noncompliance with UI claimant job search requirements. DLT’s reported BAM program results for the 2023-2024 reporting period cited noncompliance with work search activities in 31% of the cases reviewed.
Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to UI benefit operations. The State’s planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed.
Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration).
Effect: UI benefits paid to individuals who did not comply with program eligibility requirements.
Questioned Costs: $12,968
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-038a Implement compensating controls to identify noncompliance with program requirements.
2024-038b Ensure that ongoing considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements.
2024-038c Ensure that official State UI policies and procedures on file with the Secretary of State relating to work search requirements are consistent with UI claimant guidance available on DLT’s website.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS
The Department of Labor and Training (DLT)’s UI system does not impose penalties on overpayments due to fraud as required by federal regulations. The system also does not prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment results from the employer’s failure to respond timely or adequately to a request for information.
Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 %) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information.
In compliance with federal law (42 U.S. Code Section 503(a)(11), State Laws), the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28 42-62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a DLT request for information relating to the claim (RIGL 28-43-3(2)(viii)).
Condition: During fiscal 2024, DLT was not properly identifying and handling overpayments due to system limitations, including, as applicable, assessing the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization.
Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. DLT has no procedures currently in place to comply with federal regulations for program integrity overpayments.
Effect: Material noncompliance with federal and State laws as well as lost revenue on penalties not assessed.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-039 Implement procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28- 43-3(2)(viii)).
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS
The Department of Labor and Training (DLT)’s UI system does not impose penalties on overpayments due to fraud as required by federal regulations. The system also does not prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment results from the employer’s failure to respond timely or adequately to a request for information.
Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 %) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information.
In compliance with federal law (42 U.S. Code Section 503(a)(11), State Laws), the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28 42-62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a DLT request for information relating to the claim (RIGL 28-43-3(2)(viii)).
Condition: During fiscal 2024, DLT was not properly identifying and handling overpayments due to system limitations, including, as applicable, assessing the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization.
Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. DLT has no procedures currently in place to comply with federal regulations for program integrity overpayments.
Effect: Material noncompliance with federal and State laws as well as lost revenue on penalties not assessed.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-039 Implement procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28- 43-3(2)(viii)).
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
PORT INFRASTRUCTURE DEVELOPMENT PROGRAM – 20.823
Federal Awarding Agency: U.S. Department of Transportation (DOT)
Federal Award Fiscal Years: 2022 - 2028; 2024 - 2029
Federal Award Numbers: 693JF72140012; 693JF72344009
Administered by: Quonset Development Corporation (QDC)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Cash Management; Procurement, Suspension and Debarment; Subrecipient Monitoring
QUONSET DEVELOPMENT CORPORATION – DOCUMENTED POLICIES AND PROCEDURES
Criteria: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial and program management. Specifically, written policies are required for the following:
• Determination of allowable costs
• Employee travel
• Cash management
• Procurement
• Conflicts of interest
Condition: The Organization does not have written policies and procedures in place related to federal awards, as required under the Uniform Guidance.
Cause: While the Organization does not have written policies and procedures regarding internal controls, it has not developed specific written formal documentation of internal controls to encompass all applicable areas per the Uniform Guidance.
Effect: Due to the weaknesses in internal controls noted above, the Organization did not comply with the requirements of the Uniform Guidance over documented policies and procedures. No questioned costs are reported as this requirement is procedural in nature.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-042 The Organization should address the weakness noted above and create policies and procedures related to federal awards in order to comply with the Uniform Guidance.
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Reporting
FEDERAL REPORTING
RIDOT lacks documentation of internal controls over the reporting requirements for National Infrastructure Investment (NII) Grants.
Criteria: 2 CFR §200.303(a) states “Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition: RIDOT’s internal controls relating to reporting requirements for NII Grants are not formalized in the manner required by statute, federal regulations, or professional standards (COSO, Green Book). There is no documentation of review and approval for submission of the Quarterly Project Progress Reports that are required by the grant awards. The Division of Performance Management, responsible for submission of the report, obtains verbal approval from the Director of Project Management prior to submission of the NII Grant report to FHWA. Consequently, submission approval and segregation of report preparation and approval/authorization control activities are not verifiable by examination.
RIDOT’s current processes for NII Grant reporting are susceptible to misinterpretation, result in less assurance and accountability for report preparation and approval, and prevent the evaluation and monitoring of controls designed to ensure reporting accuracy.
Cause: RIDOT lacks documentation of internal control that complies with Uniform Guidance requirements.
Effect: Potential for errors in federal reporting submitted for the NII Grant program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-043a Enhance internal controls over the Reporting requirement by documenting policies, procedures and control activities in conformance with an internal control framework such as COSO or the Green Book.
2024-043b Document NII Grant report review and submission approval.
CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027
Federal Awarding Agency: U.S. Department of Treasury (TREAS)
Federal Award Fiscal Years: 2021 to 2025
Federal Award Number: SLFRP0136
Administered by: Rhode Island Department of Administration (DOA), Pandemic Recovery Office (PRO)
Compliance Requirement: Subrecipient Monitoring; Allowable Costs/Cost Principles
SUBRECIPIENT PAYMENTS AND MONITORING
Subrecipient monitoring procedures were insufficient to identify and remedy a finding reported by the subrecipient auditor that affected the State Fiscal Recovery Fund. Monitoring procedures were not in place to ensure adequate documentation was obtained regarding the use of payment advances.
Background: The Pandemic Recovery Office, as the administering agency of the State Fiscal Recovery Fund, executes memoranda of understanding with the various departments and agencies to conduct projects under the allowable uses of the program. The departments and agencies then often execute subawards within the scope of the specific project.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Uniform Guidance cost principles dictate that, in order to be allowable under Federal awards, costs must be adequately documented (2 CFR §200.403(g)).
Condition: As part of our testing, we performed an independent review of Single Audit Reports submitted to the Federal Audit Clearinghouse (FAC) for each sampled subrecipient. We noted a reported finding linked to the State Fiscal Recovery Fund for the subrecipient audit year ended September 30, 2024; the report was filed with the Clearinghouse on June 24, 2024. The report was not reviewed by the pass-through department, and subsequently, no management decision was issued.
In regard to the review of subrecipient reports in the Clearinghouse overall, of the 26 sampled subrecipient entities, 18 had filed Single Audit Reports with the FAC. Of those 18 reports, only 3 were reviewed, documented, and management decisions issued as necessary (15 not reviewed; 83% error rate).
Additionally, many of these subrecipients receive funding on a periodic basis. Of 31 subrecipient payments reviewed, 3 were payment advances to subrecipients for which no additional documentation or reconciliation was available to support subrecipient expenditures related to those prepayments. We noted several other subrecipient reimbursement payments that were lacking adequate support for the expenditures being reimbursed. Other documentation maintained by the agency to support monitoring procedures was unable to be provided.
Cause: Subrecipient monitoring procedures are not in place to ensure audit reports are reviewed and management decisions are issued, as required by Uniform Guidance. Other monitoring procedures were inadequate to ensure that subrecipients appropriately utilized the funds provided to support program objectives.
Effect: Noncompliance with program guidelines and/or federal regulations at the subrecipient level could go undetected and unresolved.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-044a Enhance internal control procedures to ensure timely review of audit reports and issuance of management decisions in accordance with Uniform Guidance.
2024-044b Strengthen subrecipient compliance by requiring submission of Single Audit Reports to the pass-through department/agency as part of the subaward terms and conditions, prompting the review upon receipt of the reports.
2024-044c Enhance controls to ensure adequate documentation of monitoring procedures performed and support for subrecipient expenditures is obtained. Document any meetings and/or conversations with the subrecipients and discussion had therein.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Reporting
CONTROLS OVER FEDERAL FINANCIAL REPORTING REQUIREMENTS
There are insufficient controls to ensure complete and accurate program reporting requirements.
Criteria: Federal regulation 45 CFR §75.341, requires the Federal Financial Report (FFR), SF-425A to be submitted on an annual basis in accordance with the terms and conditions of the federal award. Recipients must submit FFRs to the U.S. Department of Health and Human Services (HHS) Centers for Disease Control & Prevention no later than 90 days after the end of the reporting period and final FFRs within 120 days after the end of the period of performance. FFRs are to be complete, accurate and the amounts reported able to be substantiated by the entity’s accounting records. In addition, the report is designed to capture key financial data for a grant award, such as the amount of federal funds disbursed and spent so far.
Condition: RIDOH was unable to substantiate expenditure amounts recorded on the FFR for the ELC Core award and its supplements. Additionally, the ELC Core – National Wastewater Surveillance System FFR reported amounts for expenditures past the end of the reporting period.
Cause: RIDOH currently utilizes workbooks, Uniform Grant Spreadsheets (UGS) to track federal expenditures during the term of the award. Information reported on the annual FFRs is compiled using the cumulative information within the UGS. There is a lack of sufficient control over the access and data integrity, to ensure that the underlying transactional account details are complete and accurate. The UGS are not reconciled on a routine basis to ensure consistency with the State’s financial accounting system’s detail, and management’s review of the required SF-425A reports was insufficient to identify inaccuracies in amounts reported.
Effect: Certain submitted Federal Financial Reports (SF-425A) were not complete and accurate.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-048a Enhance internal control over the UGS to ensure the accuracy and integrity of cumulative financial information used in generating required federal financial reports.
2024-048b Reconcile the details contained within the UGS to the underlying transactional information recorded in the State’s accounting system, to verify amounts reported within the required SF-425A forms are complete and accurate.
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Reporting
CONTROLS OVER FEDERAL FINANCIAL REPORTING REQUIREMENTS
There are insufficient controls to ensure complete and accurate program reporting requirements.
Criteria: Federal regulation 45 CFR §75.341, requires the Federal Financial Report (FFR), SF-425A to be submitted on an annual basis in accordance with the terms and conditions of the federal award. Recipients must submit FFRs to the U.S. Department of Health and Human Services (HHS) Centers for Disease Control & Prevention no later than 90 days after the end of the reporting period and final FFRs within 120 days after the end of the period of performance. FFRs are to be complete, accurate and the amounts reported able to be substantiated by the entity’s accounting records. In addition, the report is designed to capture key financial data for a grant award, such as the amount of federal funds disbursed and spent so far.
Condition: RIDOH was unable to substantiate expenditure amounts recorded on the FFR for the ELC Core award and its supplements. Additionally, the ELC Core – National Wastewater Surveillance System FFR reported amounts for expenditures past the end of the reporting period.
Cause: RIDOH currently utilizes workbooks, Uniform Grant Spreadsheets (UGS) to track federal expenditures during the term of the award. Information reported on the annual FFRs is compiled using the cumulative information within the UGS. There is a lack of sufficient control over the access and data integrity, to ensure that the underlying transactional account details are complete and accurate. The UGS are not reconciled on a routine basis to ensure consistency with the State’s financial accounting system’s detail, and management’s review of the required SF-425A reports was insufficient to identify inaccuracies in amounts reported.
Effect: Certain submitted Federal Financial Reports (SF-425A) were not complete and accurate.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-048a Enhance internal control over the UGS to ensure the accuracy and integrity of cumulative financial information used in generating required federal financial reports.
2024-048b Reconcile the details contained within the UGS to the underlying transactional information recorded in the State’s accounting system, to verify amounts reported within the required SF-425A forms are complete and accurate.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS IN THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM
Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically resulting in deficiencies relating to documented applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple health care and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR §205.60(a) requires the State agency “to maintain records to support eligibility, including facts to support the client’s need for assistance. The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file.”
Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State plan, acceptable documentation for proof of residency includes rental receipts, lease agreements, utility bills, medical bills, bank statements, payroll statements, mortgage statements, car registrations, city or town tax statements, and/or school records.
Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. We noted the following exceptions in our testing of case files:
[See table within Finding]
Exceptions resulting in eligibility being unsupported by case record (11 Exceptions – 15.4% error rate):
• None of the required documentation supporting household residency was included in the case record for 9 sample households.
• Signed recertification documents not scanned to the system for 2 of the cases selected in the sample.
Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility):
• Identification documents for all household members or other supporting case documents not scanned to the system (23 instances).
* Represents the number of cases containing errors; a case may have more than one error.
Documentation deficiencies for critical eligibility requirements were noted in 15.4% of the cases we tested in fiscal 2024. Our sample of 71 household monthly benefit payments totaled $42,392. Questioned costs noted during our sample testing totaled $6,158 for a benefit error rate of 14.53%. Our sample error rate projected to the benefit population estimated likely questioned costs of $3.4 million, or 4.3% of the total program expenditures. While our projected questioned costs did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance is resulting from documentation deficiencies.
While applicant attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility.
Cause: Lack of supporting documentation included in the TANF case record (file) and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant.
Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program.
Questioned Costs: $53,835
Valid Statistical Sample: Yes
RECOMMENDATION
2024-049 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS IN THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM
Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically resulting in deficiencies relating to documented applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple health care and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR §205.60(a) requires the State agency “to maintain records to support eligibility, including facts to support the client’s need for assistance. The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file.”
Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State plan, acceptable documentation for proof of residency includes rental receipts, lease agreements, utility bills, medical bills, bank statements, payroll statements, mortgage statements, car registrations, city or town tax statements, and/or school records.
Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. We noted the following exceptions in our testing of case files:
[See table within Finding]
Exceptions resulting in eligibility being unsupported by case record (11 Exceptions – 15.4% error rate):
• None of the required documentation supporting household residency was included in the case record for 9 sample households.
• Signed recertification documents not scanned to the system for 2 of the cases selected in the sample.
Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility):
• Identification documents for all household members or other supporting case documents not scanned to the system (23 instances).
* Represents the number of cases containing errors; a case may have more than one error.
Documentation deficiencies for critical eligibility requirements were noted in 15.4% of the cases we tested in fiscal 2024. Our sample of 71 household monthly benefit payments totaled $42,392. Questioned costs noted during our sample testing totaled $6,158 for a benefit error rate of 14.53%. Our sample error rate projected to the benefit population estimated likely questioned costs of $3.4 million, or 4.3% of the total program expenditures. While our projected questioned costs did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance is resulting from documentation deficiencies.
While applicant attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility.
Cause: Lack of supporting documentation included in the TANF case record (file) and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant.
Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program.
Questioned Costs: $53,835
Valid Statistical Sample: Yes
RECOMMENDATION
2024-049 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Income Eligibility and Verification System
INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Internal controls are lacking to ensure that Income Eligibility Verification System (IEVS) requirements are supported by documentation required by program regulations. Documentation deficiencies, specifically relating to executing data exchange interfaces, resulted in noncompliance with federal requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: 2 CFR §200.303 requires that a non-federal entity must “establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Federal regulation 45 CFR §205.55 requires that “each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45 CFR §205.55): (a.) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b.) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c.) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d.) Information from the US Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e.) Unearned income from the Internal Revenue Service (IRS).”
Condition: The Department of Human Services (DHS) did not outline within its TANF state plan how it complies with Section 1137 of the Social Security Act as amended as it relates to IEVS requirements. Furthermore, the case files reviewed in the RIBridges system lacked sufficient documentation to demonstrate that income data interfaces were consistently executed for certain cases tested. This raises concerns regarding the adequacy of verification processes and compliance with federal program integrity requirements.
As part of our sample testing of 71 cases subject to IEVS requirements, we identified the following issues:
• In 5 cases, SWICA data from the Rhode Island Department of Labor and Training was available; however, no actions were taken to verify or incorporate this information into the benefit calculation process.
• In 5 cases, none of the required IEVS data interfaces had been executed or documented in the case files.
• In 21 cases, the IRS data interface was either not executed or reflected outdated information.
• In 9 cases, the SSA data interface was either not executed or reflected outdated information.
Cause: Absence of IEVS procedures documented within the TANF state plan. Lack of supporting documentation in the case record and insufficient procedures to ensure that income interfaces are run against client information prior to and during eligibility periods.
Effect: Noncompliance with TANF IEVS requirements mandated by federal regulations. Improper or incorrect benefit payments could be claimed to the TANF program.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-050a Conduct a review of the TANF state plan and update it to include detailed procedures for utilizing IEVS interfaces and incorporating the resulting information into eligibility determinations.
2024-050b Ensure that income data interfaces are properly executed and that the information obtained is used in making benefit eligibility determinations.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Income Eligibility and Verification System
INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Internal controls are lacking to ensure that Income Eligibility Verification System (IEVS) requirements are supported by documentation required by program regulations. Documentation deficiencies, specifically relating to executing data exchange interfaces, resulted in noncompliance with federal requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: 2 CFR §200.303 requires that a non-federal entity must “establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Federal regulation 45 CFR §205.55 requires that “each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45 CFR §205.55): (a.) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b.) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c.) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d.) Information from the US Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e.) Unearned income from the Internal Revenue Service (IRS).”
Condition: The Department of Human Services (DHS) did not outline within its TANF state plan how it complies with Section 1137 of the Social Security Act as amended as it relates to IEVS requirements. Furthermore, the case files reviewed in the RIBridges system lacked sufficient documentation to demonstrate that income data interfaces were consistently executed for certain cases tested. This raises concerns regarding the adequacy of verification processes and compliance with federal program integrity requirements.
As part of our sample testing of 71 cases subject to IEVS requirements, we identified the following issues:
• In 5 cases, SWICA data from the Rhode Island Department of Labor and Training was available; however, no actions were taken to verify or incorporate this information into the benefit calculation process.
• In 5 cases, none of the required IEVS data interfaces had been executed or documented in the case files.
• In 21 cases, the IRS data interface was either not executed or reflected outdated information.
• In 9 cases, the SSA data interface was either not executed or reflected outdated information.
Cause: Absence of IEVS procedures documented within the TANF state plan. Lack of supporting documentation in the case record and insufficient procedures to ensure that income interfaces are run against client information prior to and during eligibility periods.
Effect: Noncompliance with TANF IEVS requirements mandated by federal regulations. Improper or incorrect benefit payments could be claimed to the TANF program.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-050a Conduct a review of the TANF state plan and update it to include detailed procedures for utilizing IEVS interfaces and incorporating the resulting information into eligibility determinations.
2024-050b Ensure that income data interfaces are properly executed and that the information obtained is used in making benefit eligibility determinations.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP)
Operational and system deficiencies, including eligibility processing modifications implemented due to public health emergency (PHE) regulations and policy modifications that extended into fiscal year 2024, resulted in noncompliance with federal regulations relating to CHIP eligibility.
Background: Medical benefit expenditures claimed to CHIP totaled $147.5 million in fiscal 2024. Benefit expenditures mainly constituted managed care capitation payments for CHIP eligible individuals. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted PHE unwinding procedures, which required a phased rollout of eligibility redetermination procedures during fiscal 2024.
Eligibility for CHIP is mainly determined through the State’s integrated eligibility system, RIBridges. Individuals are assigned CHIP eligible aid categories, which are then communicated to the Medicaid Management Information System (MMIS) where fee-for-service claims and managed care capitation (i.e., healthcare premiums) are paid on behalf of the individuals. The MMIS allocates expenditures for claims and capitation based on the individual’s aid category.
Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance.
Condition: While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $5.8 million in federal expenditures) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility.
For fiscal 2024, we tested a sample of 60 CHIP eligible members (population of individuals with reported CHIP eligibility during fiscal year 2024 totaled 52,198). Fee-for-service and managed care capitation payments for fiscal 2024 approximated $20.4 million (federal share - $14.1 million) and $119.1 million (federal share - $82.2 million), respectively. Of the 60 cases (eligibility segment for sampled CHIP members) sampled, our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP:
• Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking (2 cases; questioned costs - $906).
• Social security number was not validated for an individual older than 12 months (1 case; questioned
costs - $172).
• The SWICA interface utilized to validate household income did not properly report in the RIBridges case record. Since RIBridges reported incomplete SWICA income, the system failed to detect that household income exceeded federal income limits for CHIP and would have been ineligible for program benefits
(1 case; questioned costs - $344).
• Citizenship was not documented. This child should have been covered under the State program since ineligible for Medicaid or CHIP (1 case; questioned costs - $524).
• Eligibility determination was impacted by eligibility technician (ET) worker errors. Errors included failure to 1) redetermine the case when household member turned 19 years old and 2) end date an employment segment when the household member lost employment. In these cases, household income would have made the child eligible for Medicaid not CHIP (2 cases; questioned costs - $2,483).
• Eligibility was determined using self-attested data when the SWICA interface reported income greater than the self-attested amounts and in excess of household income limits. No additional requests for documentation were sent to resolve the income discrepancy (3 cases; questioned costs - $1,029).
• Child should have been ineligible for CHIP due to existing third-party health coverage (3 cases; questioned costs - $2,913). See additional questioned costs determined through separate evaluation of ineligible CHIP claiming of children with third-party health insurance coverage below.
Our testing found exceptions in 13 out of 60 sampled cases resulting in an error rate of 21.7%. Total claims and capitation paid for sample cases total $182,283 (federal share - $125,775). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for CHIP reimbursement totaled $8,371 or 6.7% of claiming for sampled CHIP individuals. Our test results supported projected questioned costs estimated at $9,284,114 (federal share - $6,408,360).
In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent found 609 children charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2024 for those members totaled $1,829,447 (questioned costs - $1,262,318). The State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, the functionality did not effectively ensure that only uninsured children were charged to CHIP funding sources in fiscal 2024.
Deficiencies in program controls to ensure that children aged out of CHIP at age 19 continued to be noted during fiscal 2024. An analysis of children charged to CHIP during fiscal 2024, age 19 (plus 3 months to allow for notice and redetermination) or older noted 229 individuals with managed care capitation payments claimed to CHIP totaling $771,916 (questioned costs - $532,622). While PHE unwinding procedures reduced noncompliance in this area from the prior year, significant noncompliance was still noted during fiscal 2024.
Based on our sample testing exception noted above, we analyzed instances where children initially coded eligible with expenditures funded under CHIP were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 132 cases within CHIP during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
The cumulative noncompliance identified by our testing procedures over CHIP eligibility was deemed to represent material noncompliance with CHIP program eligibility requirements.
Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage, failure to follow up on PARIS notifications), ET error, or insufficient documentation supporting eligibility within the case record (i.e., lack of income and citizenship documentation).
Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP.
Questioned Costs: $1,803,311
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-056a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration, PARIS notification follow-up) to strengthen controls and ensure compliance with federal regulations regarding CHIP eligibility.
2024-056b Identify ET worker errors and case documentation deficiencies and conduct training to address common issues leading to incorrect or unsupported eligibility determinations.
2024-056c Identify ineligible CHIP costs and return to the federal grantor.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP)
Operational and system deficiencies, including eligibility processing modifications implemented due to public health emergency (PHE) regulations and policy modifications that extended into fiscal year 2024, resulted in noncompliance with federal regulations relating to CHIP eligibility.
Background: Medical benefit expenditures claimed to CHIP totaled $147.5 million in fiscal 2024. Benefit expenditures mainly constituted managed care capitation payments for CHIP eligible individuals. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted PHE unwinding procedures, which required a phased rollout of eligibility redetermination procedures during fiscal 2024.
Eligibility for CHIP is mainly determined through the State’s integrated eligibility system, RIBridges. Individuals are assigned CHIP eligible aid categories, which are then communicated to the Medicaid Management Information System (MMIS) where fee-for-service claims and managed care capitation (i.e., healthcare premiums) are paid on behalf of the individuals. The MMIS allocates expenditures for claims and capitation based on the individual’s aid category.
Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance.
Condition: While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $5.8 million in federal expenditures) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility.
For fiscal 2024, we tested a sample of 60 CHIP eligible members (population of individuals with reported CHIP eligibility during fiscal year 2024 totaled 52,198). Fee-for-service and managed care capitation payments for fiscal 2024 approximated $20.4 million (federal share - $14.1 million) and $119.1 million (federal share - $82.2 million), respectively. Of the 60 cases (eligibility segment for sampled CHIP members) sampled, our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP:
• Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking (2 cases; questioned costs - $906).
• Social security number was not validated for an individual older than 12 months (1 case; questioned
costs - $172).
• The SWICA interface utilized to validate household income did not properly report in the RIBridges case record. Since RIBridges reported incomplete SWICA income, the system failed to detect that household income exceeded federal income limits for CHIP and would have been ineligible for program benefits
(1 case; questioned costs - $344).
• Citizenship was not documented. This child should have been covered under the State program since ineligible for Medicaid or CHIP (1 case; questioned costs - $524).
• Eligibility determination was impacted by eligibility technician (ET) worker errors. Errors included failure to 1) redetermine the case when household member turned 19 years old and 2) end date an employment segment when the household member lost employment. In these cases, household income would have made the child eligible for Medicaid not CHIP (2 cases; questioned costs - $2,483).
• Eligibility was determined using self-attested data when the SWICA interface reported income greater than the self-attested amounts and in excess of household income limits. No additional requests for documentation were sent to resolve the income discrepancy (3 cases; questioned costs - $1,029).
• Child should have been ineligible for CHIP due to existing third-party health coverage (3 cases; questioned costs - $2,913). See additional questioned costs determined through separate evaluation of ineligible CHIP claiming of children with third-party health insurance coverage below.
Our testing found exceptions in 13 out of 60 sampled cases resulting in an error rate of 21.7%. Total claims and capitation paid for sample cases total $182,283 (federal share - $125,775). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for CHIP reimbursement totaled $8,371 or 6.7% of claiming for sampled CHIP individuals. Our test results supported projected questioned costs estimated at $9,284,114 (federal share - $6,408,360).
In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent found 609 children charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2024 for those members totaled $1,829,447 (questioned costs - $1,262,318). The State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, the functionality did not effectively ensure that only uninsured children were charged to CHIP funding sources in fiscal 2024.
Deficiencies in program controls to ensure that children aged out of CHIP at age 19 continued to be noted during fiscal 2024. An analysis of children charged to CHIP during fiscal 2024, age 19 (plus 3 months to allow for notice and redetermination) or older noted 229 individuals with managed care capitation payments claimed to CHIP totaling $771,916 (questioned costs - $532,622). While PHE unwinding procedures reduced noncompliance in this area from the prior year, significant noncompliance was still noted during fiscal 2024.
Based on our sample testing exception noted above, we analyzed instances where children initially coded eligible with expenditures funded under CHIP were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 132 cases within CHIP during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
The cumulative noncompliance identified by our testing procedures over CHIP eligibility was deemed to represent material noncompliance with CHIP program eligibility requirements.
Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage, failure to follow up on PARIS notifications), ET error, or insufficient documentation supporting eligibility within the case record (i.e., lack of income and citizenship documentation).
Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP.
Questioned Costs: $1,803,311
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-056a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration, PARIS notification follow-up) to strengthen controls and ensure compliance with federal regulations regarding CHIP eligibility.
2024-056b Identify ET worker errors and case documentation deficiencies and conduct training to address common issues leading to incorrect or unsupported eligibility determinations.
2024-056c Identify ineligible CHIP costs and return to the federal grantor.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER STATE HOSPITAL CLAIMING
Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort.
Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim.
Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined.
Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort.
Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare).
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER STATE HOSPITAL CLAIMING
Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort.
Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim.
Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined.
Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort.
Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare).
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER PROJECT WORKBOOK REIMBURSEMENT SUBMISSIONS
Controls over project workbook submissions for reimbursement of eligible costs were not operating effectively to ensure all claimed costs were accurately documented, leading to reimbursement of unallowable costs.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, assists in the facilitation of cost reimbursement claims for the various departments and agencies within the State. Comprehensive workbooks are used to account for the itemized costs being claimed for reimbursement and are included as support to the reimbursement claim made through the FEMA Grants Portal.
Criteria: 2 CFR §200.403(g) requires that allowable costs under federal awards be adequately documented.
Condition: We selected a sample of 23 federal award drawdowns (cost reimbursement claims) during fiscal 2024, covering 96% of the population across 11 unique projects. Our testing of project workbook submissions found two discrepancies within project 694201 between amounts claimed for reimbursement in the workbooks and amounts recorded in the State accounting system and noted in supporting documentation:
• One line item for a claimed invoice appeared to have keyed an additional digit onto the claimed amount in error (questioned costs – $211,751).
• Another invoice appeared to transpose the incorrect column to the workbook in three out of four claimed line items (questioned costs – $117,352).
Cause: Review of project workbook submissions and supporting documentation was inadequate to identify claimed costs in excess of expenditures incurred by the State.
Effect: Reimbursement of costs that were not incurred by the State.
Questioned Costs: $329,103
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-067a Improve review procedures to ensure accuracy of workbook reimbursement submissions to FEMA.
2024-067b Credit the federal grantor for unallowable costs that were reimbursed.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER PROJECT WORKBOOK REIMBURSEMENT SUBMISSIONS
Controls over project workbook submissions for reimbursement of eligible costs were not operating effectively to ensure all claimed costs were accurately documented, leading to reimbursement of unallowable costs.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, assists in the facilitation of cost reimbursement claims for the various departments and agencies within the State. Comprehensive workbooks are used to account for the itemized costs being claimed for reimbursement and are included as support to the reimbursement claim made through the FEMA Grants Portal.
Criteria: 2 CFR §200.403(g) requires that allowable costs under federal awards be adequately documented.
Condition: We selected a sample of 23 federal award drawdowns (cost reimbursement claims) during fiscal 2024, covering 96% of the population across 11 unique projects. Our testing of project workbook submissions found two discrepancies within project 694201 between amounts claimed for reimbursement in the workbooks and amounts recorded in the State accounting system and noted in supporting documentation:
• One line item for a claimed invoice appeared to have keyed an additional digit onto the claimed amount in error (questioned costs – $211,751).
• Another invoice appeared to transpose the incorrect column to the workbook in three out of four claimed line items (questioned costs – $117,352).
Cause: Review of project workbook submissions and supporting documentation was inadequate to identify claimed costs in excess of expenditures incurred by the State.
Effect: Reimbursement of costs that were not incurred by the State.
Questioned Costs: $329,103
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-067a Improve review procedures to ensure accuracy of workbook reimbursement submissions to FEMA.
2024-067b Credit the federal grantor for unallowable costs that were reimbursed.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
Controls were not in place to ensure adequate monitoring of subrecipients throughout the fiscal year.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, disburses pass-through awards to various subrecipients for their respective cost reimbursements. These cost reimbursement awards are required to be reported on the State’s Schedule of Expenditures of Federal Awards and accordingly are subject to the subrecipient monitoring requirements of the Uniform Guidance.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Condition: RIEMA did not perform required subrecipient monitoring procedures during the majority of fiscal 2024. In April 2024, RIEMA implemented a tracking worksheet to review subrecipient audit reports submitted to the Federal Audit Clearinghouse as part of the review process of subrecipient project submissions. The tracking worksheet identifies the date the review of the FAC was performed and whether any findings related to the program were reported. RIEMA implemented these procedures as corrective actions to address prior year findings relating to subrecipient monitoring.
Cause: Monitoring procedures were not in place for a substantial portion of the audit period.
Effect: RIEMA did not monitor subrecipients for a material portion of the fiscal year.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-068a Complete implementation of subrecipient monitoring procedures by improving the detail maintained in the tracking worksheet to provide more transparency as to what was reviewed (e.g., audit year reviewed, FAC submission date, documentation of control deficiencies related to the financial statements).
2024-068b RIEMA will also need to document its review of subrecipient audit reports including follow-up on findings reported in Single Audit Reports and issuing management decisions when required.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
Controls were not in place to ensure adequate monitoring of subrecipients throughout the fiscal year.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, disburses pass-through awards to various subrecipients for their respective cost reimbursements. These cost reimbursement awards are required to be reported on the State’s Schedule of Expenditures of Federal Awards and accordingly are subject to the subrecipient monitoring requirements of the Uniform Guidance.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Condition: RIEMA did not perform required subrecipient monitoring procedures during the majority of fiscal 2024. In April 2024, RIEMA implemented a tracking worksheet to review subrecipient audit reports submitted to the Federal Audit Clearinghouse as part of the review process of subrecipient project submissions. The tracking worksheet identifies the date the review of the FAC was performed and whether any findings related to the program were reported. RIEMA implemented these procedures as corrective actions to address prior year findings relating to subrecipient monitoring.
Cause: Monitoring procedures were not in place for a substantial portion of the audit period.
Effect: RIEMA did not monitor subrecipients for a material portion of the fiscal year.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-068a Complete implementation of subrecipient monitoring procedures by improving the detail maintained in the tracking worksheet to provide more transparency as to what was reviewed (e.g., audit year reviewed, FAC submission date, documentation of control deficiencies related to the financial statements).
2024-068b RIEMA will also need to document its review of subrecipient audit reports including follow-up on findings reported in Single Audit Reports and issuing management decisions when required.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FINANCIAL REPORTING
Controls over federal financial reporting can be enhanced to ensure submitted reports are accurate for the period activity being reported.
Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records.
Condition: With exception to the Recipient Share portion of the report, amounts reported on the March 2024 quarterly SF-425 were reflective of the amounts previously reported in the December 2023 report. An additional $9.9 million was receipted in the March quarter that was not reported. Cumulative amounts reported at State fiscal year end were accurate and complete.
Cause: A formula error in the underlying support worksheet was not detected prior to submission of the report.
Effect: Amounts reported on the SF-425 for the quarter ended March 31, 2024 were not accurate and consistent with the underlying support.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-069a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying accounting records.
2024-069b Enhance review procedures prior to submission to compare the current quarter to the previous quarter.
2024-069c Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2024, as necessary.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FINANCIAL REPORTING
Controls over federal financial reporting can be enhanced to ensure submitted reports are accurate for the period activity being reported.
Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records.
Condition: With exception to the Recipient Share portion of the report, amounts reported on the March 2024 quarterly SF-425 were reflective of the amounts previously reported in the December 2023 report. An additional $9.9 million was receipted in the March quarter that was not reported. Cumulative amounts reported at State fiscal year end were accurate and complete.
Cause: A formula error in the underlying support worksheet was not detected prior to submission of the report.
Effect: Amounts reported on the SF-425 for the quarter ended March 31, 2024 were not accurate and consistent with the underlying support.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-069a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying accounting records.
2024-069b Enhance review procedures prior to submission to compare the current quarter to the previous quarter.
2024-069c Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2024, as necessary.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) REPORTING
Controls over FFATA reporting can be enhanced to ensure timely and complete reporting of subawards issued during the fiscal year.
Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS).
Condition: Subaward information entered into the FSRS and made publicly available via USASpending.gov was not inclusive of all subawards made during fiscal 2024. In our testing of compliance with FFATA, we noted the following exceptions:
[See table within Finding]
Cause: Controls and monitoring procedures were not effective to ensure subawards were reported in compliance with FFATA reporting requirements.
Effect: RIEMA did not sufficiently comply with the reporting requirements of FFATA.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-070 Enhance controls over FFATA reporting to ensure subawards are reported timely. Incorporate FFATA reporting procedures into existing procedures when disbursing funds to subrecipients.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) REPORTING
Controls over FFATA reporting can be enhanced to ensure timely and complete reporting of subawards issued during the fiscal year.
Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS).
Condition: Subaward information entered into the FSRS and made publicly available via USASpending.gov was not inclusive of all subawards made during fiscal 2024. In our testing of compliance with FFATA, we noted the following exceptions:
[See table within Finding]
Cause: Controls and monitoring procedures were not effective to ensure subawards were reported in compliance with FFATA reporting requirements.
Effect: RIEMA did not sufficiently comply with the reporting requirements of FFATA.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-070 Enhance controls over FFATA reporting to ensure subawards are reported timely. Incorporate FFATA reporting procedures into existing procedures when disbursing funds to subrecipients.
STATEWIDE CASH MANAGEMENT
Federal Agency: U.S. Department of Treasury (TREAS)
State Fiscal Year: 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Administration (DOA), Office of Accounts and Control (OAC)
Compliance Requirement: Cash Management
CONTROLS OVER CASH MANAGEMENT IMPROVEMENT ACT (CMIA)_INTEREST CALCULATIONS
The State lacks monitoring controls over the calculation of interest due under the CMIA. Errors in the mechanical calculation of interest due were not detected by the State.
Background: Under the Cash Management Improvement Act, the State and U.S. Treasury enter into a Treasury-State Agreement (TSA) on an annual basis. The federal programs covered by the TSA are recalculated annually, based on a threshold using the Schedule of Expenditures of Federal Awards (SEFA) from two fiscal years prior (i.e., the 2024 TSA programs are calculated using the 2022 SEFA).
Criteria: Paragraph 8.6.1 of the State’s 2024 TSA states “The State shall be liable for interest on Federal funds from the date Federal funds are credited to a State account until the date those funds are paid out for program purposes.” Further, paragraph 8.6.2.1 states “To determine the total time Federal funds are held, the State shall measure the time between the date Federal funds are received and credited to a State’s account and the date those funds are debited from the State’s account.”
Condition: In recalculating the programs to be included in the 2024 TSA, we identified 4 new programs that were added from the prior year; all applicable programs were properly included in the fiscal 2024 TSA. However, when reviewing the interest calculations for the programs covered by the 2024 TSA, we noted that one of these new programs was not listed in the supporting worksheet for the interest calculations. In addition, that program, along with another new program in 2024, were not included in the detailed report that supported the calculation of daily cash balances subject to interest.
Cause: Review procedures over the CMIA interest calculation did not ensure that all programs covered by the TSA were properly included in the calculation. Additionally, the underlying report supporting the calculations was not modified to include the additional programs in fiscal 2024.
Effect: Interest liability amounts due to the U.S. Treasury may exist and remain unidentified.
Questioned Costs: $110 (estimated)
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-029 Enhance review procedures to ensure all programs in the TSA are included in the interest calculation on an annual basis. Ensure underlying reports are properly modified, as necessary, to capture data for all programs in the TSA.
STATEWIDE COST ALLOCATION PLAN
Federal Cognizant Agency: U.S. Department of Health and Human Services (HHS)
State Fiscal Year: 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Administration (DOA), Office of Accounts and Control (OAC)
Compliance Requirement: Allowable Costs/Cost Principles
DOCUMENTATION OF FUNDING MECHANISMS WITHIN THE STATEWIDE COST ALLOCATION PLAN
Documentation of the funding mechanism for grants management services within the Statewide Cost Allocation Plan can be improved.
Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State’s statewide cost allocation plan (SWCAP). This plan is submitted annually for approval by the State’s federal cognizant agency, the U.S. Department of Health and Human Services. The SWCAP agreement includes the approval of billed costs, charges for services that are billed in accordance with rates established by the State and approved by the federal government as part of the SWCAP agreement.
Condition: While the costs for statewide grants management services appear to be included in the allocated cost section of the SWCAP, the State is allocating those costs to federal programs based on a “billed” methodology. The methodology for these services assesses departments and agencies based on a two-tiered calculation: first, a per license fee for users of the State’s grants management system, and secondly, an assessment to cover other grants management unit costs applied to the respective departments based on a proportionate share of total federal expenditures, excluding certain programs.
We were unable to determine whether the mechanism used to assess the costs related to statewide grants management services across departments and agencies during fiscal 2024 was in accordance with the approved statewide cost allocation plan.
Cause: The State did not include the grants management services as part of its billed costs in the most recent federally approved SWCAP agreement.
Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-030 Submit cost allocation methodology for grants management services allocated to federal programs as part of billed costs in the statewide cost allocation plan.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
SNAP CLUSTER – 10.551, 10.561
Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service (FNS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: Not Applicable
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Allowable Costs/Cost Principles
SNAP - ALLOWABLE COSTS – OTHER MATTERS
Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA).
Criteria: 2 CFR §200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards.
Condition: During our fiscal 2024 audit of the State, we learned of a potential fraud relating to the SNAP Cluster. Based on a tip, OIA identified a claimant using multiple social security numbers. The OIA’s findings were communicated to law enforcement and charges were filed against the individual. While the alleged fraud is greater than $25,000, the case prosecution is ongoing and the actual amount of fraudulent payments is unknown at this time.
Cause: Potential fraud committed by a claimant. Payments were allegedly made to an individual based on fraudulent identities and stolen information.
Effect: Noncompliance with federal regulations for the Supplemental Nutrition Assistance Program.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-031 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Procurement, Suspension and Debarment
PROCUREMENT COMPLIANCE
RIDE did not ensure that three out of five School Food Authorities (SFA) submitted their written code of standards of conduct as required by federal regulations before approving their procurement.
Background: RIDE reviews and approves the SFA procurement procedures regarding procuring a Food Service Management Company (FSMC). To ensure compliance, RIDE makes available a template for policy and procedures, the code of standards of conduct, and the whole procurement process as it pertains to the SFA procuring a Food Service Management Company (FSMC).
Criteria: Federal regulation 7 CFR §210.21(c) requires that SFA, where applicable, must submit a written code of standards of conduct meeting the minimum standards of 2 CFR §200.318 to RIDE during their procurement process.
Condition: Due to the materiality of the expenditures relating to FSMC procurements, we selected 2 of the 5 FSMC procurements in conjunction with our procurement testing of all vendors. Our testing noted that RIDE approved one SFA’s procurement of a FSMC, without having the SFA’s required written code of standards of conduct. We followed up with RIDE to determine if this was an isolated instance and found that the code of standards of conduct was missing in 3 out of 5 procurements.
Cause: RIDE’s policies, procedures and controls were not adequate to ensure that the Department received the SFA’s written code of standards of conduct before approving the SFA’s procurement of a FSMC.
Effect: RIDE is not in compliance with 7 CFR §210.21(c) which requires the SFA to submit a written code of standards of conduct to RIDE with the minimum standards stated in 2 CFR §200.318.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-032 Establish policies and procedures in conjunction with formalizing internal control to ensure compliance of 7 CFR §210.21(c) by requiring SFAs to submit a written code of standards of conduct at the beginning of the procurement process.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL REPORTING – SF-425 FINANCIAL REPORTS
RIDE did not submit complete and timely SF-425 Financial Reports in accordance with federal requirements.
Background: RIDE has an individual who initiates the SF-425 report by compiling data from RIFANS. Once completed and entered on the fprs.fns.usda.gov reporting site, the initiator notifies a separate individual to submit and have the report certified. The submission of the SF-425 Federal Financial Report on the reporting website should be no later than 30 calendar days after the reporting period for the quarterly report and the final annual report is due no later than 90 calendar days after the reporting period. The SF-425 is a cumulative report until the final report is submitted.
Criteria: According to 2 CFR §200.328(c), RIDE must submit the SF-425 quarterly report no later than 30 calendar days after the reporting period and no later than 90 days after the reporting period for the final annual report.
Condition: RIDE did not submit 3 of the 4 (1 quarterly and 2 final annual reports) SF-425 reports within the required period for the Fresh Fruit and Vegetable Program and Supply Chain Assistance (Part of National School Lunch Program).
Cause: The department did not have adequate controls to ensure timely and complete reporting of the SF-425 Federal Financial Report.
Effect: RIDE did not comply with reporting requirements of SF-425 Federal Financial Reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-033 Establish policies and procedures in conjunction with formalizing internal control that ensures complete and timely reporting of the SF-425 Federal Financial Report.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA)
Controls over reporting of subawards can be enhanced to ensure accurate and complete reporting in accordance with FFATA requirements.
Background: RIDE must report on the School Food Authorities (SFA) meal reimbursement amounts as subrecipients on the Federal Transparency Website
Criteria: The Federal Funding Accountability and Transparency Act (public Law 109-282; as amended by section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Subaward Reporting System (FSRS).
Condition: RIDE did not report subaward information entered into the FSRS as required by 2 CFR Part 170 during fiscal 2024. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following table:
[See table within Finding]
Our testing found that RIDE did not comply with FFATA reporting requirements for Child Nutrition Program subawards issued during fiscal 2024.
Cause: Controls, including monitoring procedures, have not been established to ensure that all program subawards are reported as required by FFATA.
Effect: Noncompliance with FFATA reporting requirements for certain program subawards.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-034 Establish policies and procedures in conjunction with formalizing internal control that ensures complete reporting of subawards in accordance with FFATA.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: Not Applicable – Donated Food Commodities
Administered by: Rhode Island Department of Corrections (DOC)
Compliance Requirement: Special Tests and Provisions – Accountability for USDA-Donated Foods
ACCOUNTABILITY FOR USDA-DONATED FOODS
The Department of Corrections needs to ensure that it complies with federal regulations governing the receipt, distribution and inventory of USDA-donated foods.
Background: The USDA provides donated commodities, or "USDA Foods," to schools participating in the National School Lunch Program (NSLP), which are calculated based on the number of lunches served and a per meal value, helping to provide nutritionally balanced, low-cost or free lunches to children. DOC receives USDA-Donated Foods for use in Child Nutrition Cluster programs. These foods are stored in the State’s central distribution center (CDC) warehouse and distributed to eligible local educational agencies.
Criteria: 7 CFR §250.12(b) requires DOC to take an annual physical inventory of its storage facility and reconcile the results with its inventory records.
Condition: DOC performed a physical inventory of USDA-donated foods in June 2024. In summary, there were 23 types of donated commodities in inventory that were available for use in Child Nutrition Cluster programs. We tested 17 of the 23 items and identified 2 items (11.8% of commodity items reviewed) not matching the inventory records. In one instance, the cases on hand were 2 less than recorded in the inventory records. In the second instance, there were 74 more cases on hand than reflected in the inventory system. These discrepancies totaled $3,504. The causes of these variances were not resolved.
Cause: Controls over inventory are not adequate to ensure proper recording of distribution and replenishment of donated commodities.
Effect: Potential for misappropriation or inaccurate reporting of USDA-donated food commodities.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-035 Improve inventory control procedures over USDA-donated food commodities, including complete reconciliations and resolution of discrepancies noted.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Special Tests and Provisions – Paid Lunch Equity
PAID LUNCH EQUITY COMPLIANCE
RIDE did not ensure that the School Food Authorities (SFA) with a negative balance as of June 30, 2022 performed the Paid Lunch Equity (PLE) calculation to determine if the price of paid lunch for school year 2023-2024 required an increase or required an increase of non-federal contributions to the non-profit school food account.
Background: PLE requirements apply to all SFAs that reported a negative balance in their nonprofit school food service account. They are required to ensure that sufficient funds are provided to their nonprofit school food service accounts from lunches served to students not eligible for free or reduced-price meals. A SFA currently charging less for a paid lunch than the difference between the federal reimbursement rate for such a lunch and that for a free lunch is required to comply. This difference is known as “equity.” There are two ways to meet this requirement: (1) raising the prices charged for paid lunches; or (2) through contributions from other non-federal sources to the non-profit school food service account. As stated in the compliance supplement, all SFA that have a negative balance as of June 30, 2022, will need to perform this calculation to determine if the price of a paid meal requires an increase for the school year of 2023-2024 (FY2024) or an increase in nonfederal contributions to the nonprofit food service account.
Criteria: Federal regulations for the Paid Lunch Equity calculation require all SFAs with a negative balance in their non-profit school food service account as of June 30, 2022 to establish prices for paid lunches or an increase in non-federal contributions in accordance with 7 CFR §210.14(e).
Condition: RIDE did not monitor if the SFA with negative balances as of June 30, 2022 complied with the PLE calculations for determining if the price of paid lunches required an increase or more non-federal contributions were required to be added to the SFA’s non-profit school food account. We noted eleven SFAs with negative balances reported as of June 30, 2022.
Cause: RIDE did not have policies, procedures or dedicated resources for determining whether SFAs with negative balances complied with 7 CFR §210.14(e).
Effect: RIDE is not in compliance with 7 CFR §210.14(e) which requires the SFA with negative balances to determine if the price of a paid school lunch must be increased or non-federal contributions must be increased.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-036 Establish policies and procedures in conjunction with formalizing internal control that ensures that SFAs with a negative balance in their non-profit food service account are in compliance with 7 CFR §210.14(e).
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
CHILD NUTRITION CLUSTER – 10.553, 10.555, 10.556, 10.559, 10.582
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: 202424N109944, 202423N109944, 202424N119944, 202423N119944, 202423L160344
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Activities Allowed or Unallowed
INFORMATION SYSTEMS SECURITY CONTROLS OVER SYSTEMS ADMINISTERING FEDERAL PROGRAMS AT RIDE
Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds.
Background: AcceleGrants, is the online grant management system for the Consolidated Resource Plan (CRP) grants which RIDE utilizes to administer various federal elementary and secondary education programs (Title I, II, III, IDEA and Race to the Top). AcceleGrants functions as a centralized console for Local Education Agencies (LEAs) to apply for funds. Review and approvals are completed within AcceleGrants by RIDE staff to distribute State and Federal funding for the various education programs.
CNP Connect, is an online management system for the Child Nutrition Program. LEAs (aka sponsors) participating in the School Nutrition Programs (SNP) submit individual student eligibility for free or reduced-price meals that are determined at their local level to the eRIDE portal. This data is shared with the Department of Human Services (DHS), which cross-references it with public assistance data to confirm eligibility. Claims for meal reimbursements are submitted through CNP Connect. Neither system (AcceleGrants/CNP Connect) store student personally identifiable information (PII) but do contain some LEA/sponsor PII. Both systems are now hosted by the same vendor in their cloud environment.
Unlike most State agencies, RIDE operates autonomously and does not utilize the State’s Division of Enterprise Technology Strategy and Services (ETSS) for IT and Information Security (IS) support. RIDE instead has outsourced various cybersecurity enhancement projects due to limited internal resources.
Criteria: IT risk assessment policies and procedures should be well-documented and continuously updated, as per National Institute of Standards and Technology (NIST) standards RA-1. Risk assessments, including vulnerability and penetration testing, should occur regularly or whenever significant IT changes are made, as outlined in NIST SP 800-53 Rev.5, §RA-3. A comprehensive plan is essential for managing an agency's Information System (IS), ensuring the protection of all systems and data. Regular compliance assessments should be part of risk reviews. The application should have access controls for user management (assigning, authorizing, and monitoring access), in line with NIST SP 800-53 Rev.5 §AC-2, to protect RIDE data. Vendor activities should be monitored for software security and availability, with staff trained in risk management as per NIST SP 800-53 Rev.5 §RA-2, §CA-2. Guidelines for managing vendor systems and services are provided at NIST SP 800-53 Rev.5 §SA-9.
The Federal Information Security Management Act (FISMA) requires collaboration and adherence to the National Institute of Standards and Technology (NIST) guidelines for managing information security pertaining to state agencies responsible for managing programs sponsored by the federal government. See Public Law 107 347-Dec.17 2002 section 302, management of IT §1131, b2 (required mandatory standards).
Condition: Information Technology (IT) risk assessments, vendor management, oversight controls, and documentation for overall security need improvement to enhance the reliability of systems and the administration of federal funds. The evaluation of RIDE’s information systems security management noted multiple areas in need of improvement. Examples of specific concerns noted during our review included monitoring of administrative user access, logical access controls, and a lack of system contractor oversight. Due to certain difficulties with the system contractor, RIDE was unable to obtain and review Service Organizational Control (SOC) reports, limiting contractor oversight during the fiscal year.
Resources and efforts are needed to provide a comprehensive approach to system security controls that address identified risks and concerns. RIDE was found to be lacking:
1) A formally documented IT risk assessment review process for internal and vendor security practices. This includes SOC reports, their accompanying Complementary User Entity Controls (CUECs) on applications and services supporting the agency;
2) Mature policies and procedures to govern system logical access change management requests;
3) A separation of duties policy to ensure Governance, Risk and Compliance (GRC) between the applications system administration;
4) Proper guidelines for sponsors acceptable usage of applications. Subsequently, a formal documentation process to track logical user change requests is needed. It should be noted that currently, change requests are tracked in email format; and
5) An enhanced form of login authentication security such as Multi-factor Authentication (MFA) into applications.
Cause: Current information system security policies and procedures do not meet best practices (i.e., NIST SP 800-53 Rev.5) and need improvement to ensure information system security over the systems utilized to administer federal programs.
Effect: Not performing risk assessments can increase vulnerability to cybersecurity attacks. Not overseeing vendors can lead to higher risks, compliance issues, and operational disruptions. Limited monitoring of user access lowers application and data security. Without separation of duties, system administrators may have excessive access, increasing the potential risk of unintended consequences including fraud.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-037a Develop formalized comprehensive policies and procedures based on an acceptable IT security framework like NIST SP 800-53 Rev.5 or adopt the State’s comprehensive policies and procedures maintained and updated by ETSS.
2024-037b Evaluate the IT security resources needed to implement the adopted security framework or utilize ETSS for IT security support like other State agencies.
2024-037c Focus on maturing logical access controls, documentation, and related processes. Create a proper logical access request tracking process utilizing a ticketing system to manage user change requests efficiently. Setup clearly defined parameters for LEA’s acceptable usage and routinely review and manage vendor activities and performance.
2024-037d Adopt best practice procedures, including management and oversight, over system administrator accounts employed within RIDE’s systems.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Eligibility
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS
Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. System controls to identify applicant noncompliance with work search requirements were also lacking.
Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance (UI) programs and ensure that individuals meet the various program requirements to receive benefits. The current system used by DLT to process UI benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. The State utilizes a “cloud-based” front-end application as the user interface for administering UI benefit applications and to validate applicant identity and prevent program fraud. Upon application completion, required applicant data flows to the UI legacy system for benefit administration. The legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2024, benefit payments exceeded $200 million.
DLT maintains a Benefits Accuracy Measurement (BAM) program as required by federal regulations as a quality control system designed to assess the accuracy of UI benefit payments and denied claims. Using a statistical sampling model, the program estimates error rates (i.e., number of claims improperly paid or denied and the dollar amounts of benefits improperly paid or denied) by projecting the results from payment and denial reviews.
Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with State and federal program requirements. The structure of the federal-state UI program partnership is based on federal statute (20 CFR Chapter V); however, it is implemented through state law.
State responsibilities include: (1) establishing specific, detailed policies and operating procedures which comply with the requirements of federal laws and regulations; (2) determining the state UI tax structure; (3) collecting state UI contributions from employers (commonly called “unemployment taxes”); (4) determining claimant eligibility and disqualification provisions; (5) making payment of UI benefits to claimants; (6) managing the program’s revenue and benefit administrative functions; (7) administering the programs in accordance with established policies and procedures; and (8) enacting state unemployment compensation (UC) law that conforms with federal UC law and that state law and operations substantially comply with federal law.
State UI regulations (RI Code of Regulations) specific to our findings on eligibility include the following:
• Title 260, Chapter 40, Income Support, Subchapter 05 – Unemployment and Temporary Disability Insurance, Section 1.18(F) – “Every claimant shall make such personal efforts to find suitable work as are customarily made by persons in the same occupation or in any other occupation for which the claimant is reasonably suited, commensurate with current economic conditions. These efforts include but are not limited to:
1) Registering for work with the EmployRI,
2) conducting an active, independent work search with at least three (3) work search contacts in each week that benefits are claimed and maintain a written record of the work search,
3) submitting a weekly work search to the department as prescribed by the director and as indicated in the Department of Labor and Training’s guidelines for an active and independent search for work.
4) posting a résumé on the Employment Services’ online job seeker tool kit and inquiring upon any job opportunities presented by the department,
5) completing a skills review or similar activity through Employment Service as prescribed by the Director, and
6) registering on the Virtual Recruiter or similar tool through Employment Service as prescribed by the Director.”
• Section 1.18 (G) – “The Director has discretion in determining whether to require one or all activities identified in §1.18(F)(4), (5), and (6) of this Part.”
Applicants that do not comply with program work search requirements should be referred to DLT’s Central Adjudication Unit.
RI General Law §28-42-68. Recovery of erroneously paid benefits, “(a) Any individual who, by reason of a mistake or misrepresentation made by himself, herself, or another, has received any sum as benefits under chapters 42 - 44 of this title, in any week in which any condition for the receipt of the benefits imposed by those chapters was not fulfilled by him or her, or with respect to any week in which he or she was disqualified from receiving those benefits, shall in the discretion of the director be liable to have that sum deducted from any future benefits payable to him or her under those chapters, or shall be liable to repay to the director for the employment security fund a sum equal to the amount so received, plus, if the benefits were received as a result of misrepresentation or fraud by the recipient, interest on the benefits at the rate set forth in §28-43-15. That sum shall be collectible in the manner provided in §28-43-18 for the collection of past due contributions. All interest received pursuant to this subsection shall be credited to the employment security interest fund created by §28 42 75.”
Condition: While our testing found that UI payments complied with most program eligibility requirements, noncompliance with certain requirements was noted. We tested a random sample of 60 individual benefit payments totaling $24,243 in fiscal 2024. In conjunction with our testing, the following 2 exceptions (3.3% error rate) were deemed to be noncompliance with eligibility requirements resulting in ineligible benefit payments:
• 1 of 60 individuals had a return-to-work date submitted by the employer, however, the claimant received three payments after that date. DLT did not investigate any potential overpayment (questioned costs - $2,139).
• 1 of 60 was not registered within EmployRI and staff were unable to locate any records of the claimant (questioned costs - $10,829).
In conjunction with our testing, we noted a control deficiency relating to the documentation of social security numbers for applicant dependents. In our sample, we noted one case where social security numbers were not included in the UI system for reported dependents. Although DLT was subsequently able to provide documentation of social security numbers for the dependents, the UI system lacks systemic controls to prevent benefit payments when social security numbers are not reported in the case record.
As part of our testing, we evaluated applicant compliance with job search activities (e.g., résumé posting, completing a skills review, registering on the Virtual Recruiter or similar tool) required within UI policies and procedures. Our testing identified the following exceptions relating to applicant job search activity compliance:
• 5 of 60 (8.3%) did not have a résumé. EmployRI sets up the claim with an automated résumé recording all the information that a claimant presents. These five claimants were not compliant with a résumé being posted within the six-week requirement. DLT follow-up indicated that “the system failed to create the system generated résumé” for these applicants.
• 50 of 60 (83.3%) had incomplete résumés in the EmployRI system. Each résumé had completion rates between 20% - 60% and remained offline.
For eligibility purposes, while these exceptions support that controls are lacking over applicant compliance with job search requirements, these exceptions were not considered to represent benefit payments to ineligible applicants since DLT did not identify these cases for adjudication. Our review also noted that certain State UI policies on file with the Secretary of State regarding work search requirements (e.g., submission of weekly work search, résumé posting requirements) were inconsistent with the UI claimant guidance available on the DLT website.
Both our testing results and those reported through the BAM program identified significant noncompliance with UI claimant job search requirements. DLT’s reported BAM program results for the 2023-2024 reporting period cited noncompliance with work search activities in 31% of the cases reviewed.
Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to UI benefit operations. The State’s planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed.
Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration).
Effect: UI benefits paid to individuals who did not comply with program eligibility requirements.
Questioned Costs: $12,968
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-038a Implement compensating controls to identify noncompliance with program requirements.
2024-038b Ensure that ongoing considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements.
2024-038c Ensure that official State UI policies and procedures on file with the Secretary of State relating to work search requirements are consistent with UI claimant guidance available on DLT’s website.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Eligibility
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS
Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. System controls to identify applicant noncompliance with work search requirements were also lacking.
Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance (UI) programs and ensure that individuals meet the various program requirements to receive benefits. The current system used by DLT to process UI benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. The State utilizes a “cloud-based” front-end application as the user interface for administering UI benefit applications and to validate applicant identity and prevent program fraud. Upon application completion, required applicant data flows to the UI legacy system for benefit administration. The legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2024, benefit payments exceeded $200 million.
DLT maintains a Benefits Accuracy Measurement (BAM) program as required by federal regulations as a quality control system designed to assess the accuracy of UI benefit payments and denied claims. Using a statistical sampling model, the program estimates error rates (i.e., number of claims improperly paid or denied and the dollar amounts of benefits improperly paid or denied) by projecting the results from payment and denial reviews.
Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with State and federal program requirements. The structure of the federal-state UI program partnership is based on federal statute (20 CFR Chapter V); however, it is implemented through state law.
State responsibilities include: (1) establishing specific, detailed policies and operating procedures which comply with the requirements of federal laws and regulations; (2) determining the state UI tax structure; (3) collecting state UI contributions from employers (commonly called “unemployment taxes”); (4) determining claimant eligibility and disqualification provisions; (5) making payment of UI benefits to claimants; (6) managing the program’s revenue and benefit administrative functions; (7) administering the programs in accordance with established policies and procedures; and (8) enacting state unemployment compensation (UC) law that conforms with federal UC law and that state law and operations substantially comply with federal law.
State UI regulations (RI Code of Regulations) specific to our findings on eligibility include the following:
• Title 260, Chapter 40, Income Support, Subchapter 05 – Unemployment and Temporary Disability Insurance, Section 1.18(F) – “Every claimant shall make such personal efforts to find suitable work as are customarily made by persons in the same occupation or in any other occupation for which the claimant is reasonably suited, commensurate with current economic conditions. These efforts include but are not limited to:
1) Registering for work with the EmployRI,
2) conducting an active, independent work search with at least three (3) work search contacts in each week that benefits are claimed and maintain a written record of the work search,
3) submitting a weekly work search to the department as prescribed by the director and as indicated in the Department of Labor and Training’s guidelines for an active and independent search for work.
4) posting a résumé on the Employment Services’ online job seeker tool kit and inquiring upon any job opportunities presented by the department,
5) completing a skills review or similar activity through Employment Service as prescribed by the Director, and
6) registering on the Virtual Recruiter or similar tool through Employment Service as prescribed by the Director.”
• Section 1.18 (G) – “The Director has discretion in determining whether to require one or all activities identified in §1.18(F)(4), (5), and (6) of this Part.”
Applicants that do not comply with program work search requirements should be referred to DLT’s Central Adjudication Unit.
RI General Law §28-42-68. Recovery of erroneously paid benefits, “(a) Any individual who, by reason of a mistake or misrepresentation made by himself, herself, or another, has received any sum as benefits under chapters 42 - 44 of this title, in any week in which any condition for the receipt of the benefits imposed by those chapters was not fulfilled by him or her, or with respect to any week in which he or she was disqualified from receiving those benefits, shall in the discretion of the director be liable to have that sum deducted from any future benefits payable to him or her under those chapters, or shall be liable to repay to the director for the employment security fund a sum equal to the amount so received, plus, if the benefits were received as a result of misrepresentation or fraud by the recipient, interest on the benefits at the rate set forth in §28-43-15. That sum shall be collectible in the manner provided in §28-43-18 for the collection of past due contributions. All interest received pursuant to this subsection shall be credited to the employment security interest fund created by §28 42 75.”
Condition: While our testing found that UI payments complied with most program eligibility requirements, noncompliance with certain requirements was noted. We tested a random sample of 60 individual benefit payments totaling $24,243 in fiscal 2024. In conjunction with our testing, the following 2 exceptions (3.3% error rate) were deemed to be noncompliance with eligibility requirements resulting in ineligible benefit payments:
• 1 of 60 individuals had a return-to-work date submitted by the employer, however, the claimant received three payments after that date. DLT did not investigate any potential overpayment (questioned costs - $2,139).
• 1 of 60 was not registered within EmployRI and staff were unable to locate any records of the claimant (questioned costs - $10,829).
In conjunction with our testing, we noted a control deficiency relating to the documentation of social security numbers for applicant dependents. In our sample, we noted one case where social security numbers were not included in the UI system for reported dependents. Although DLT was subsequently able to provide documentation of social security numbers for the dependents, the UI system lacks systemic controls to prevent benefit payments when social security numbers are not reported in the case record.
As part of our testing, we evaluated applicant compliance with job search activities (e.g., résumé posting, completing a skills review, registering on the Virtual Recruiter or similar tool) required within UI policies and procedures. Our testing identified the following exceptions relating to applicant job search activity compliance:
• 5 of 60 (8.3%) did not have a résumé. EmployRI sets up the claim with an automated résumé recording all the information that a claimant presents. These five claimants were not compliant with a résumé being posted within the six-week requirement. DLT follow-up indicated that “the system failed to create the system generated résumé” for these applicants.
• 50 of 60 (83.3%) had incomplete résumés in the EmployRI system. Each résumé had completion rates between 20% - 60% and remained offline.
For eligibility purposes, while these exceptions support that controls are lacking over applicant compliance with job search requirements, these exceptions were not considered to represent benefit payments to ineligible applicants since DLT did not identify these cases for adjudication. Our review also noted that certain State UI policies on file with the Secretary of State regarding work search requirements (e.g., submission of weekly work search, résumé posting requirements) were inconsistent with the UI claimant guidance available on the DLT website.
Both our testing results and those reported through the BAM program identified significant noncompliance with UI claimant job search requirements. DLT’s reported BAM program results for the 2023-2024 reporting period cited noncompliance with work search activities in 31% of the cases reviewed.
Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to UI benefit operations. The State’s planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed.
Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration).
Effect: UI benefits paid to individuals who did not comply with program eligibility requirements.
Questioned Costs: $12,968
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-038a Implement compensating controls to identify noncompliance with program requirements.
2024-038b Ensure that ongoing considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements.
2024-038c Ensure that official State UI policies and procedures on file with the Secretary of State relating to work search requirements are consistent with UI claimant guidance available on DLT’s website.
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS
The Department of Labor and Training (DLT)’s UI system does not impose penalties on overpayments due to fraud as required by federal regulations. The system also does not prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment results from the employer’s failure to respond timely or adequately to a request for information.
Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 %) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information.
In compliance with federal law (42 U.S. Code Section 503(a)(11), State Laws), the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28 42-62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a DLT request for information relating to the claim (RIGL 28-43-3(2)(viii)).
Condition: During fiscal 2024, DLT was not properly identifying and handling overpayments due to system limitations, including, as applicable, assessing the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization.
Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. DLT has no procedures currently in place to comply with federal regulations for program integrity overpayments.
Effect: Material noncompliance with federal and State laws as well as lost revenue on penalties not assessed.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-039 Implement procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28- 43-3(2)(viii)).
UNEMPLOYMENT INSURANCE – 17.225
Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration
Federal Award Fiscal Year: Not Applicable
Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund
Administered by: Rhode Island Department of Labor and Training (DLT)
Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS
The Department of Labor and Training (DLT)’s UI system does not impose penalties on overpayments due to fraud as required by federal regulations. The system also does not prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment results from the employer’s failure to respond timely or adequately to a request for information.
Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 %) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information.
In compliance with federal law (42 U.S. Code Section 503(a)(11), State Laws), the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28 42-62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a DLT request for information relating to the claim (RIGL 28-43-3(2)(viii)).
Condition: During fiscal 2024, DLT was not properly identifying and handling overpayments due to system limitations, including, as applicable, assessing the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization.
Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. DLT has no procedures currently in place to comply with federal regulations for program integrity overpayments.
Effect: Material noncompliance with federal and State laws as well as lost revenue on penalties not assessed.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-039 Implement procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28- 43-3(2)(viii)).
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
CONSULTANT CERTIFICATION OF INDIRECT COST RATE COMPLIANCE
RIDOT lacks policies and procedures requiring consultants to certify final indirect costs as mandated by federal regulations.
Criteria: Consultants and sub-consultants providing engineering and design-related services must certify to contracting agencies that costs used to establish indirect cost rates are in compliance with the applicable cost principles contained in the Federal Acquisition Regulation (48 CFR Part 31) by submitting a “Certificate of Final Indirect Costs” (23 USC 112(b)(2)(C); 23 CFR §172.11(c)(3)).
Condition: RIDOT lacks formalized internal control (e.g., policies and procedures) to ensure compliance with 23 CFR §172.11(c)(3)). RIDOT did not obtain the required Certificate of Final Indirect Costs from engineering and design-related vendors as required by federal regulations.
Cause: RIDOT has not developed, documented, or implemented a Certificate of Final Indirect Costs for engineering and design-related service procurements.
Effect: RIDOT is not compliant with 23 CFR §172.11(c)(3)(iii) and (ii) which require submission of a Certificate of Final Indirect Costs by an appropriate certifying official of the engineering and design-related services consultant. Consequently, RIDOT does not have an attestation from contracted consultants certifying compliance with Federal Acquisition Regulation cost principles designed to provide assurance of compliance with laws, regulations, and grant terms and conditions.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-040 Develop, document and implement a Certificate of Final Indirect Costs for the procurement of engineering and design-related service procurements in compliance with 23 CFR §172.11(c)(3)(iii) and (ii). Integrate the Certificate of Final Indirect Costs within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
HIGHWAY PLANNING AND CONSTRUCTION – 20.205
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2024
Federal Award Numbers: Various
Administered by: Rhode Island Department of Transportation (RIDOT)
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Procurement, Suspension and Debarment
INDEFINITE DELIVERY / INDEFINITE QUANTITY PROCUREMENT
RIDOT has no documentation of FHWA approved Indefinite Delivery/Indefinite Quantity (ID/IQ) procurement policies and procedures.
Background: ID/IQ is a method of contracting that allows an indefinite quantity of services for a fixed time. This method is used when a contracting agency anticipates a recurring need but has not determined, above a specified minimum, the precise quantities of services that it will require during the contract period. Contractors bid unit prices for estimated quantities of standard work items, and work orders are used to define the location and quantities for specific work.
Criteria: 23 CFR §635.606(a) states that “The State DOT shall submit its proposed ID/IQ procurement procedures to the Division Administrator for review and approval. Following approval by the Division Administrator, any subsequent changes in procedures and requirements shall also be subject to approval by the Division Administrator before they are implemented. Other contracting agencies may follow approved State DOT procedures in their State or their own procedures if approved by both the State DOT and FHWA. The Division Administrator’s approval of ID/IQ procurement procedures may not be delegated or assigned to the State DOT.”
Condition: The RIDOT internal control system does not contain documented and approved ID/IQ procurement procedures detailing control activities which provide assurance of compliance with laws, regulations, and grant terms and conditions.
Cause: RIDOT has not developed, documented, and submitted ID/IQ procurement procedures to FHWA for review and approval.
Effect: RIDOT is not compliant with 23 CFR §635.606(a) documentation and approval requirements for ID/IQ procurements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-041 Develop and document ID/IQ procurement procedures and submit them to FHWA for review and approval. Upon FHWA approval, integrate ID/IQ procurement procedures within RIDOT’s internal control system to provide assurance of compliance with laws, regulations, and grant terms and conditions.
PORT INFRASTRUCTURE DEVELOPMENT PROGRAM – 20.823
Federal Awarding Agency: U.S. Department of Transportation (DOT)
Federal Award Fiscal Years: 2022 - 2028; 2024 - 2029
Federal Award Numbers: 693JF72140012; 693JF72344009
Administered by: Quonset Development Corporation (QDC)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Cash Management; Procurement, Suspension and Debarment; Subrecipient Monitoring
QUONSET DEVELOPMENT CORPORATION – DOCUMENTED POLICIES AND PROCEDURES
Criteria: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial and program management. Specifically, written policies are required for the following:
• Determination of allowable costs
• Employee travel
• Cash management
• Procurement
• Conflicts of interest
Condition: The Organization does not have written policies and procedures in place related to federal awards, as required under the Uniform Guidance.
Cause: While the Organization does not have written policies and procedures regarding internal controls, it has not developed specific written formal documentation of internal controls to encompass all applicable areas per the Uniform Guidance.
Effect: Due to the weaknesses in internal controls noted above, the Organization did not comply with the requirements of the Uniform Guidance over documented policies and procedures. No questioned costs are reported as this requirement is procedural in nature.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-042 The Organization should address the weakness noted above and create policies and procedures related to federal awards in order to comply with the Uniform Guidance.
NATIONAL INFRASTRUCTURE INVESTMENT – 20.933
Federal Awarding Agency: U.S. Department of Transportation (DOT), Federal Highway Administration (FHWA)
Federal Award Fiscal Years: 2018 - 2024
Federal Award Numbers: NHPBLDG001, NHPBLDG002, IMO953115, NHPBLDG003, NHP0037015
Administered by: Rhode Island Department of Transportation (RIDOT)
Compliance Requirement: Reporting
FEDERAL REPORTING
RIDOT lacks documentation of internal controls over the reporting requirements for National Infrastructure Investment (NII) Grants.
Criteria: 2 CFR §200.303(a) states “Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition: RIDOT’s internal controls relating to reporting requirements for NII Grants are not formalized in the manner required by statute, federal regulations, or professional standards (COSO, Green Book). There is no documentation of review and approval for submission of the Quarterly Project Progress Reports that are required by the grant awards. The Division of Performance Management, responsible for submission of the report, obtains verbal approval from the Director of Project Management prior to submission of the NII Grant report to FHWA. Consequently, submission approval and segregation of report preparation and approval/authorization control activities are not verifiable by examination.
RIDOT’s current processes for NII Grant reporting are susceptible to misinterpretation, result in less assurance and accountability for report preparation and approval, and prevent the evaluation and monitoring of controls designed to ensure reporting accuracy.
Cause: RIDOT lacks documentation of internal control that complies with Uniform Guidance requirements.
Effect: Potential for errors in federal reporting submitted for the NII Grant program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-043a Enhance internal controls over the Reporting requirement by documenting policies, procedures and control activities in conformance with an internal control framework such as COSO or the Green Book.
2024-043b Document NII Grant report review and submission approval.
CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027
Federal Awarding Agency: U.S. Department of Treasury (TREAS)
Federal Award Fiscal Years: 2021 to 2025
Federal Award Number: SLFRP0136
Administered by: Rhode Island Department of Administration (DOA), Pandemic Recovery Office (PRO)
Compliance Requirement: Subrecipient Monitoring; Allowable Costs/Cost Principles
SUBRECIPIENT PAYMENTS AND MONITORING
Subrecipient monitoring procedures were insufficient to identify and remedy a finding reported by the subrecipient auditor that affected the State Fiscal Recovery Fund. Monitoring procedures were not in place to ensure adequate documentation was obtained regarding the use of payment advances.
Background: The Pandemic Recovery Office, as the administering agency of the State Fiscal Recovery Fund, executes memoranda of understanding with the various departments and agencies to conduct projects under the allowable uses of the program. The departments and agencies then often execute subawards within the scope of the specific project.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Uniform Guidance cost principles dictate that, in order to be allowable under Federal awards, costs must be adequately documented (2 CFR §200.403(g)).
Condition: As part of our testing, we performed an independent review of Single Audit Reports submitted to the Federal Audit Clearinghouse (FAC) for each sampled subrecipient. We noted a reported finding linked to the State Fiscal Recovery Fund for the subrecipient audit year ended September 30, 2024; the report was filed with the Clearinghouse on June 24, 2024. The report was not reviewed by the pass-through department, and subsequently, no management decision was issued.
In regard to the review of subrecipient reports in the Clearinghouse overall, of the 26 sampled subrecipient entities, 18 had filed Single Audit Reports with the FAC. Of those 18 reports, only 3 were reviewed, documented, and management decisions issued as necessary (15 not reviewed; 83% error rate).
Additionally, many of these subrecipients receive funding on a periodic basis. Of 31 subrecipient payments reviewed, 3 were payment advances to subrecipients for which no additional documentation or reconciliation was available to support subrecipient expenditures related to those prepayments. We noted several other subrecipient reimbursement payments that were lacking adequate support for the expenditures being reimbursed. Other documentation maintained by the agency to support monitoring procedures was unable to be provided.
Cause: Subrecipient monitoring procedures are not in place to ensure audit reports are reviewed and management decisions are issued, as required by Uniform Guidance. Other monitoring procedures were inadequate to ensure that subrecipients appropriately utilized the funds provided to support program objectives.
Effect: Noncompliance with program guidelines and/or federal regulations at the subrecipient level could go undetected and unresolved.
Questioned Costs: Undetermined
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-044a Enhance internal control procedures to ensure timely review of audit reports and issuance of management decisions in accordance with Uniform Guidance.
2024-044b Strengthen subrecipient compliance by requiring submission of Single Audit Reports to the pass-through department/agency as part of the subaward terms and conditions, prompting the review upon receipt of the reports.
2024-044c Enhance controls to ensure adequate documentation of monitoring procedures performed and support for subrecipient expenditures is obtained. Document any meetings and/or conversations with the subrecipients and discussion had therein.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Numbers: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER ALLOCATION OF INDIRECT COSTS
Controls are inadequate to ensure allocation of indirect costs is accurate, complete and in compliance with federal regulations.
Background: RIDOH has constructed comprehensive workbooks, Uniform Grant Spreadsheets (UGS), to assist in monitoring award activity throughout the period of performance. Agency staff populate the UGS workbooks monthly with transactional information from the State’s accounting system. Accounting detail contained in the UGS are utilized to determine the indirect costs allocable to direct expenditures. Populating the spreadsheets is a manual process and lacks the required access, data integrity and other monitoring controls necessary to ensure the accuracy of the recording activity and subsequent calculations contained within.
Criteria: Federal regulations 2 CFR §200.303 and 45 CFR §75.303 require the auditee to establish, document and maintain effective internal control over Federal awards that provides reasonable assurance the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards.
Additionally, Federal regulation 2 CFR Part 200, Appendix VII specifically excludes capital expenditures as part of the direct expenditure base used in computing the indirect costs.
Condition: Internal control over the allocation of indirect costs was insufficient to ensure compliance with federal regulations, specifically:
• Indirect costs were erroneously applied to capital expenditures relating to improvements of the State’s Medical Examiner’s building, resulting in questioned costs of $160,132.
• Data entry errors in the ELC Enhancing Detection award workbook resulted in the incorrect indirect cost rate applied retroactively to fiscal 2021. In considering total questioned costs, we calculated the impact of the incorrect indirect cost rate applied over the duration of the award to determine total questioned costs of $989,825.
Cause: Current controls are not adequate (1) to detect the inclusion of unallowable costs within the indirect cost allocation calculation and (2) to ensure that the approved indirect cost rate is properly applied. The maintenance of the UGS monthly transactional detail is highly manual and lacks the data integrity controls to properly monitor for completeness, accuracy and required compliance with federal regulations.
Effect: Reimbursement for unallowable indirect costs.
Questioned Costs: $1,149,957 (ELC – 93.323)
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-045a Enhance internal controls over the UGS to ensure only allowable costs are included in the calculation of indirect costs and that only the approved indirect cost rate is applied.
2024-045b Credit the federal grantor for unallowable costs charged to the ELC grant award.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
DRINKING WATER STATE REVOLVING FUND – 66.468
Federal Awarding Agency: Environmental Protection Agency (EPA)
Federal Award Fiscal Years: 2022 - 2030
Federal Award Number: 99126120, 99126122, 99126E22, 99126S22, 99126L22, 99126123, 99126E23, 99126S23, 99126121, 99126L23
Pass-through Entity: Rhode Island Infrastructure Bank (RIIB)
Administered by: Rhode Island Department of Health (RIDOH)
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Allowable Costs/Cost Principles
TIME AND EFFORT REPORTING
RIDOH controls over time and effort reporting are lacking to ensure accurate allocations and reimbursements from federal programs.
Background: RIDOH has built and implemented a complex time-reporting system using internal worksheets for employees to allocate time spent on various activities during the pay periods. Reconciliations of the hours worked versus the hours charged to the State’s payroll and accounting systems are performed quarterly. Recorded amounts are adjusted accordingly to ensure charges to the federal programs are consistent with actual time worked on the various programs.
Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(g)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.”
Condition: Our review of personnel costs identified the following control deficiencies pertaining to the allowability of personnel expenditures:
• Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 25 of the 80 selected weekly timesheets lacked a supervisory review signature. In addition, RIDOH was unable to provide 1 timesheet for an employee selected in the sample. For the Drinking Water State Revolving Fund (DWSRF) program, 4 of the 80 selected weekly timesheets lacked a supervisory review signature.
• Two exceptions in the ELC sample noted above, and one exception in the DWSRF sample noted above involved timesheet activity recorded to general category codes (i.e., EH Management & Leadership), which lack sufficient detail (i.e., underlying activity performed in support of related category code) to support specific Federal program allocation. This resulted in certain payroll costs being overallocated to the ELC program (questioned costs $1,126) and to the DWSRF program (questioned costs $704).
Cause: Current policies and procedures were ineffective to ensure amounts claimed and reimbursed by Federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet details for general category codes prevented direct verification of recorded timesheet activities to the underlying charges for the related federal programs.
Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation.
Questioned Costs: $1,126 (ELC – 93.323), $704 (DWSRF – 66.468)
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-046 Enhance reporting of time and effort for general timesheet category activities to improve documentation and support for personnel costs charged to Federal programs.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
SPECIAL EDUCATION CLUSTER (IDEA) – 84.027, 84.173
Federal Awarding Agency: U.S. Department of Agriculture (USDA)
Federal Award Fiscal Year: 2024
Federal Award Numbers: HO27A220054-22A, H173A220057
Administered by: Rhode Island Department of Elementary and Secondary Education (RIDE)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
The Department of Education (RIDE) has not implemented adequate subrecipient monitoring activities to ensure compliance with federal regulations.
Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. RIDE performs its subrecipient monitoring through the review of audit reports, desk reviews and performing site visits deemed high risk. High-risk subrecipients are determined through the review of audit reports, completion of a desk review checklist, and the completion of an annual survey completed by the subrecipients then scored by RIDE.
Criteria: Federal regulations 2 CFR §200.329, require Pass Through Entities (PTE), such as the State, to monitor grant subrecipients to ensure that federal funds are spent appropriately. Federal Regulation 2 CFR §200.332 Subpart B requires that the PTE provide subrecipients with clear grant information, including grant terms, required financial reporting, and audit requirements. Per 2 CFR § 200.328, PTEs must collect financial data from subrecipients no less than annually.
Condition: We identified some deficiencies in internal controls relating to subrecipient monitoring during our audit. Deficiencies included a lack of required monitoring documentation (e.g., annual surveys, Single Audit Reports) submitted by subrecipients and failure by RIDE to appropriately consider these deficiencies within their consideration of subrecipient risk. Of the 65 subrecipients receiving $55.3 million, we selected 25 subrecipients for testing and found 4 subrecipients with control deficiencies that prevented RIDE from complying with the subrecipient monitoring requirement as follows:
• RIDE was unable to provide documentation supporting grant award information communicated to one subrecipient. Additionally, the required risk assessment for the Special Education Cluster was not performed for this subrecipient.
• RIDE was unable to provide the completed Desk Review checklist for 3 subrecipients. These 3 subrecipients also did not complete RIDE’s required annual survey. We found that the lack of annual survey completion did not result in RIDE assessing higher risk for one subrecipient and thus no site visit was performed. The other 2 subrecipients were assessed at high risk, however, no site visit was performed for these subrecipients.
• A subrecipient did not submit its fiscal year 2022 and 2023 Single Audit Reports and RIDE did not modify its risk assessment accordingly. RIDE was also unable to provide documentation supporting its follow-up (i.e., meeting discussing the submission of the Single Audit Report) with the subrecipients. Additionally, RIDE’s risk assessment was not adequate to identify this subrecipient as high risk.
Internal controls over subrecipient monitoring would be improved by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed. Implementing site visits when subrecipients do not comply with documentation requirements would ensure that monitoring procedures align with the risk associated with the subrecipient.
Cause: Lack of adequate dedicated agency resources and insufficient controls to ensure compliance with federal requirements.
Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-047 Improve internal controls over subrecipient monitoring by 1) updating subrecipients’ risk assessments when they fail to comply with documentation requirements, and 2) implementing monitoring procedures to identify instances where RIDE’s monitoring is not consistent with the risk assessed.
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Reporting
CONTROLS OVER FEDERAL FINANCIAL REPORTING REQUIREMENTS
There are insufficient controls to ensure complete and accurate program reporting requirements.
Criteria: Federal regulation 45 CFR §75.341, requires the Federal Financial Report (FFR), SF-425A to be submitted on an annual basis in accordance with the terms and conditions of the federal award. Recipients must submit FFRs to the U.S. Department of Health and Human Services (HHS) Centers for Disease Control & Prevention no later than 90 days after the end of the reporting period and final FFRs within 120 days after the end of the period of performance. FFRs are to be complete, accurate and the amounts reported able to be substantiated by the entity’s accounting records. In addition, the report is designed to capture key financial data for a grant award, such as the amount of federal funds disbursed and spent so far.
Condition: RIDOH was unable to substantiate expenditure amounts recorded on the FFR for the ELC Core award and its supplements. Additionally, the ELC Core – National Wastewater Surveillance System FFR reported amounts for expenditures past the end of the reporting period.
Cause: RIDOH currently utilizes workbooks, Uniform Grant Spreadsheets (UGS) to track federal expenditures during the term of the award. Information reported on the annual FFRs is compiled using the cumulative information within the UGS. There is a lack of sufficient control over the access and data integrity, to ensure that the underlying transactional account details are complete and accurate. The UGS are not reconciled on a routine basis to ensure consistency with the State’s financial accounting system’s detail, and management’s review of the required SF-425A reports was insufficient to identify inaccuracies in amounts reported.
Effect: Certain submitted Federal Financial Reports (SF-425A) were not complete and accurate.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-048a Enhance internal control over the UGS to ensure the accuracy and integrity of cumulative financial information used in generating required federal financial reports.
2024-048b Reconcile the details contained within the UGS to the underlying transactional information recorded in the State’s accounting system, to verify amounts reported within the required SF-425A forms are complete and accurate.
EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2019 - 2027
Federal Award Number: NU50CK000519
Administered by: Rhode Island Department of Health (RIDOH)
Compliance Requirement: Reporting
CONTROLS OVER FEDERAL FINANCIAL REPORTING REQUIREMENTS
There are insufficient controls to ensure complete and accurate program reporting requirements.
Criteria: Federal regulation 45 CFR §75.341, requires the Federal Financial Report (FFR), SF-425A to be submitted on an annual basis in accordance with the terms and conditions of the federal award. Recipients must submit FFRs to the U.S. Department of Health and Human Services (HHS) Centers for Disease Control & Prevention no later than 90 days after the end of the reporting period and final FFRs within 120 days after the end of the period of performance. FFRs are to be complete, accurate and the amounts reported able to be substantiated by the entity’s accounting records. In addition, the report is designed to capture key financial data for a grant award, such as the amount of federal funds disbursed and spent so far.
Condition: RIDOH was unable to substantiate expenditure amounts recorded on the FFR for the ELC Core award and its supplements. Additionally, the ELC Core – National Wastewater Surveillance System FFR reported amounts for expenditures past the end of the reporting period.
Cause: RIDOH currently utilizes workbooks, Uniform Grant Spreadsheets (UGS) to track federal expenditures during the term of the award. Information reported on the annual FFRs is compiled using the cumulative information within the UGS. There is a lack of sufficient control over the access and data integrity, to ensure that the underlying transactional account details are complete and accurate. The UGS are not reconciled on a routine basis to ensure consistency with the State’s financial accounting system’s detail, and management’s review of the required SF-425A reports was insufficient to identify inaccuracies in amounts reported.
Effect: Certain submitted Federal Financial Reports (SF-425A) were not complete and accurate.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-048a Enhance internal control over the UGS to ensure the accuracy and integrity of cumulative financial information used in generating required federal financial reports.
2024-048b Reconcile the details contained within the UGS to the underlying transactional information recorded in the State’s accounting system, to verify amounts reported within the required SF-425A forms are complete and accurate.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS IN THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM
Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically resulting in deficiencies relating to documented applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple health care and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR §205.60(a) requires the State agency “to maintain records to support eligibility, including facts to support the client’s need for assistance. The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file.”
Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State plan, acceptable documentation for proof of residency includes rental receipts, lease agreements, utility bills, medical bills, bank statements, payroll statements, mortgage statements, car registrations, city or town tax statements, and/or school records.
Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. We noted the following exceptions in our testing of case files:
[See table within Finding]
Exceptions resulting in eligibility being unsupported by case record (11 Exceptions – 15.4% error rate):
• None of the required documentation supporting household residency was included in the case record for 9 sample households.
• Signed recertification documents not scanned to the system for 2 of the cases selected in the sample.
Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility):
• Identification documents for all household members or other supporting case documents not scanned to the system (23 instances).
* Represents the number of cases containing errors; a case may have more than one error.
Documentation deficiencies for critical eligibility requirements were noted in 15.4% of the cases we tested in fiscal 2024. Our sample of 71 household monthly benefit payments totaled $42,392. Questioned costs noted during our sample testing totaled $6,158 for a benefit error rate of 14.53%. Our sample error rate projected to the benefit population estimated likely questioned costs of $3.4 million, or 4.3% of the total program expenditures. While our projected questioned costs did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance is resulting from documentation deficiencies.
While applicant attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility.
Cause: Lack of supporting documentation included in the TANF case record (file) and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant.
Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program.
Questioned Costs: $53,835
Valid Statistical Sample: Yes
RECOMMENDATION
2024-049 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS IN THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM
Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically resulting in deficiencies relating to documented applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple health care and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR §205.60(a) requires the State agency “to maintain records to support eligibility, including facts to support the client’s need for assistance. The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file.”
Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State plan, acceptable documentation for proof of residency includes rental receipts, lease agreements, utility bills, medical bills, bank statements, payroll statements, mortgage statements, car registrations, city or town tax statements, and/or school records.
Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. We noted the following exceptions in our testing of case files:
[See table within Finding]
Exceptions resulting in eligibility being unsupported by case record (11 Exceptions – 15.4% error rate):
• None of the required documentation supporting household residency was included in the case record for 9 sample households.
• Signed recertification documents not scanned to the system for 2 of the cases selected in the sample.
Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility):
• Identification documents for all household members or other supporting case documents not scanned to the system (23 instances).
* Represents the number of cases containing errors; a case may have more than one error.
Documentation deficiencies for critical eligibility requirements were noted in 15.4% of the cases we tested in fiscal 2024. Our sample of 71 household monthly benefit payments totaled $42,392. Questioned costs noted during our sample testing totaled $6,158 for a benefit error rate of 14.53%. Our sample error rate projected to the benefit population estimated likely questioned costs of $3.4 million, or 4.3% of the total program expenditures. While our projected questioned costs did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance is resulting from documentation deficiencies.
While applicant attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility.
Cause: Lack of supporting documentation included in the TANF case record (file) and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant.
Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program.
Questioned Costs: $53,835
Valid Statistical Sample: Yes
RECOMMENDATION
2024-049 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Income Eligibility and Verification System
INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Internal controls are lacking to ensure that Income Eligibility Verification System (IEVS) requirements are supported by documentation required by program regulations. Documentation deficiencies, specifically relating to executing data exchange interfaces, resulted in noncompliance with federal requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: 2 CFR §200.303 requires that a non-federal entity must “establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Federal regulation 45 CFR §205.55 requires that “each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45 CFR §205.55): (a.) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b.) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c.) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d.) Information from the US Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e.) Unearned income from the Internal Revenue Service (IRS).”
Condition: The Department of Human Services (DHS) did not outline within its TANF state plan how it complies with Section 1137 of the Social Security Act as amended as it relates to IEVS requirements. Furthermore, the case files reviewed in the RIBridges system lacked sufficient documentation to demonstrate that income data interfaces were consistently executed for certain cases tested. This raises concerns regarding the adequacy of verification processes and compliance with federal program integrity requirements.
As part of our sample testing of 71 cases subject to IEVS requirements, we identified the following issues:
• In 5 cases, SWICA data from the Rhode Island Department of Labor and Training was available; however, no actions were taken to verify or incorporate this information into the benefit calculation process.
• In 5 cases, none of the required IEVS data interfaces had been executed or documented in the case files.
• In 21 cases, the IRS data interface was either not executed or reflected outdated information.
• In 9 cases, the SSA data interface was either not executed or reflected outdated information.
Cause: Absence of IEVS procedures documented within the TANF state plan. Lack of supporting documentation in the case record and insufficient procedures to ensure that income interfaces are run against client information prior to and during eligibility periods.
Effect: Noncompliance with TANF IEVS requirements mandated by federal regulations. Improper or incorrect benefit payments could be claimed to the TANF program.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-050a Conduct a review of the TANF state plan and update it to include detailed procedures for utilizing IEVS interfaces and incorporating the resulting information into eligibility determinations.
2024-050b Ensure that income data interfaces are properly executed and that the information obtained is used in making benefit eligibility determinations.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Income Eligibility and Verification System
INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Internal controls are lacking to ensure that Income Eligibility Verification System (IEVS) requirements are supported by documentation required by program regulations. Documentation deficiencies, specifically relating to executing data exchange interfaces, resulted in noncompliance with federal requirements for fiscal 2024.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: 2 CFR §200.303 requires that a non-federal entity must “establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Federal regulation 45 CFR §205.55 requires that “each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45 CFR §205.55): (a.) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b.) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c.) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d.) Information from the US Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e.) Unearned income from the Internal Revenue Service (IRS).”
Condition: The Department of Human Services (DHS) did not outline within its TANF state plan how it complies with Section 1137 of the Social Security Act as amended as it relates to IEVS requirements. Furthermore, the case files reviewed in the RIBridges system lacked sufficient documentation to demonstrate that income data interfaces were consistently executed for certain cases tested. This raises concerns regarding the adequacy of verification processes and compliance with federal program integrity requirements.
As part of our sample testing of 71 cases subject to IEVS requirements, we identified the following issues:
• In 5 cases, SWICA data from the Rhode Island Department of Labor and Training was available; however, no actions were taken to verify or incorporate this information into the benefit calculation process.
• In 5 cases, none of the required IEVS data interfaces had been executed or documented in the case files.
• In 21 cases, the IRS data interface was either not executed or reflected outdated information.
• In 9 cases, the SSA data interface was either not executed or reflected outdated information.
Cause: Absence of IEVS procedures documented within the TANF state plan. Lack of supporting documentation in the case record and insufficient procedures to ensure that income interfaces are run against client information prior to and during eligibility periods.
Effect: Noncompliance with TANF IEVS requirements mandated by federal regulations. Improper or incorrect benefit payments could be claimed to the TANF program.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-050a Conduct a review of the TANF state plan and update it to include detailed procedures for utilizing IEVS interfaces and incorporating the resulting information into eligibility determinations.
2024-050b Ensure that income data interfaces are properly executed and that the information obtained is used in making benefit eligibility determinations.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2022; 2023; 2024
Federal Award Number: 2201RITANF; 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Reporting
CONTROLS OVER FINANCIAL AND SPECIAL REPORTING
Federal reports for both TANF and Childcare did not agree to underlying documentation. Subawards were not reported timely in accordance with federal regulations.
Background: RIBridges is the State’s federally approved integrated eligibility system used to manage multiple healthcare and human service programs. It was designed to allow for enhanced client accessibility and provide for periodic validation of client attested data through multiple electronic interfaces.
Criteria: Federal reports should include all activity for the reporting period, be supported by applicable accounting or performance records, and be fairly presented in accordance with program reporting requirements. Subaward reporting under the Federal Funding Accountability and Transparency Act (FFATA) requires the awarding agency to report subawards in the Federal Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made (2 CFR Part 170, Appendix A, Award Term, Reporting Requirements).
Condition: We tested two out of five quarterly TANF reports (grant awards can often overlap reporting periods), and two of four quarterly Childcare financial reports, noting errors in at least one line item in all reports tested that went undetected by DHS. The summary documents provided as support did not agree to the underlying data.
In regard to testing of subawards for compliance with federal reporting requirements, three subawards were not submitted by the end of the month subsequent to the awarding action. Our testing of subaward reporting for compliance with FFATA reporting requirements are detailed in the following tables:
[See tables within Finding]
Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, documentation for each report was not saved and maintained as supporting documentation. DHS lacks monitoring controls to ensure that subawards are reported in accordance with FFATA requirements.
Effect: Federal reporting errors were made and not detected and corrected.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-051a Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system.
2024-051b Implement monitoring controls to ensure that subaward information is submitted timely in accordance with FFATA reporting requirements.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER PAYMENTS TO SUBRECIPIENTS
Invoices provided by subrecipients for both TANF and Childcare did not include all underlying documentation to support the amount requested.
Background: TANF: A State may contract with charitable, religious, and private organizations to provide administrative and programmatic services and may provide beneficiaries of assistance with certificates, vouchers, or other forms of disbursement that are redeemable with such organization (42 USC 604a(b), 42 USC 604a(k), and 45 CFR §260.34).
CCDF: Funds may be used for activities that improve the quality or availability of child care services, consumer education and parental choice (42 USC 9858e).
Subrecipients are required to submit periodic reports (FM-1) and supporting documentation to DHS to receive payment.
Criteria: Uniform guidance, 2 CFR §200.403, Factors affecting allowability of costs, include that those costs:
(a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles.
(b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items.
(c) Be consistent with policies and procedures that apply uniformly to both federally financed and other activities of the recipient or subrecipient.
(d) Be accorded consistent treatment. For example, a cost must not be assigned to a Federal award as a direct cost if any other cost incurred for the same purpose in like circumstances has been allocated to the Federal award as an indirect cost.
(e) Be determined in accordance with generally accepted accounting principles (GAAP).
(f) Not be included as a cost or used to meet cost sharing requirements of any other federally-financed program in either the current or a prior period.
(g) Be adequately documented.
Condition: Subrecipients submit monthly invoices requesting reimbursement for cost categories such as Payroll, Overhead, Consulting, Supplies, and Travel. Eighteen out of 25 TANF contract payments tested were lacking supporting documentation for at least one cost category reported on the FM-1. We also noted 19 out of 25 CCDF contract payments were lacking supporting documentation for payroll costs reported on the FM-1. While DHS had obtained documentation supporting the contractor reimbursement request, the documentation was not adequate to fully evaluate compliance with allowability requirements defined in 2 CFR §200.403.
Cause: Lack of adequate review of contractor provided documentation prior to reimbursement. Documentation submitted by subrecipients deemed insufficient to evaluate compliance with 2 CFR §200.403.
Effect: Reimbursements for unallowable activities could be made by these federal programs and not be detected.
Questioned Costs: Undetermined
Valid Statistical Sample: Yes
RECOMMENDATIONS
2024-052a Adopt specific policy requirements regarding documentation required from subrecipients in support of reimbursement requests.
2024-052b Obtain adequate and complete documentation to support the allowability of costs claimed under contracts before authorization of payment.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RITANF; 2401RITANF
Administered by: Rhode Island Department of Human Services (DHS)
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS); Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM
See related Financial Statement Findings 2024-016 and 2024-021.
The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS).
Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems.
EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan.
Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems.
MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, monitoring of system access, and oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans). IT security deficiencies identified through these processes should be tracked by the State to ensure timely remediation by the contractor.
RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following:
• Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to occur biennially);
• MARS-E (Minimum Acceptable Risk Standards for Exchanges) assessments of a set of security and privacy standards, established by the Centers for Medicare and Medicaid Services, applicable to entities managing Health Insurance Exchanges. These assessments are performed annually with the audit scope rotating over a three-year period; and
• Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information.
In fiscal 2024, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since annual attestation engagements are not contractually required). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges.
The MARS-E evaluation for the quarter ending June 30, 2024 cited significant findings and recommendations within the RIBridges IT security assessment, including:
• Documentation lacking to evaluate security controls;
• Continued use of unsupported applications in need of update or patching;
• Lack of contractor tracking of exceptions and risk assessments;
• Contractor only sharing partial vulnerability scanning results;
• Lack of a robust triage process for security vulnerabilities; and
• Inadequate consideration of IT security vulnerabilities with industry best practices.
Several of these findings were also identified in prior MARS-E assessments.
Our review of controls over RIBridges’ system user access in fiscal 2024 also identified that user access relating to the Child Care and Employment Activity Referral and Response functions were not subject to the same access deactivation processes as other programs administered through the system. DHS has recently implemented procedures to address this issue.
Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security.
Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-053a Improve monitoring of MMIS system access, oversight of IT security activities performed by the system contractor (e.g., penetration testing and vulnerability scans), and tracking of IT security deficiencies to ensure timely remediation by the contractor.
2024-053b Implement recommendations identified in the MARS-E assessment to improve IT security administration of the RIBridges system.
2024-053c Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year.
2024-053d Ensure consistent implementation of controls over system user access across all programs administered through RIBridges.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Eligibility
CONTROLS OVER CHILD CARE ELIGIBILITY
System controls over eligibility determinations and income validation within RIBridges require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility need improvement to support compliance with federal regulations.
Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program.
Criteria: Lead agencies must have procedures in place for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements adopted by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding scale fee, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)).
Condition: RIBridges lacked effective income validation controls to determine program eligibility. Documentation supporting child care program eligibility was not found in 5 out of the 40 sample cases we reviewed, resulting in a 12.5% error rate. The complete details of our testing are presented in the following table:
[See table within Finding]
Our sample of 40 household monthly benefit payments totaled $8,392. Questioned costs noted during our sample testing totaled $1,076 for a benefit error rate of 12.82%. Projecting our sample error rate to the Child Care program’s proportionate share (46% of total benefit population; $29.8 million funded by Child Care), resulted in estimated likely questioned costs of $3.8 million of the total program expenditures. The significance of our sample error rate and projected questioned costs, relating to critical documentation deficiencies, was determined to represent material noncompliance with CCDF eligibility requirements in fiscal 2024.
DHS review of 2 of the 3 exceptions where documentation of eligibility was lacking found those cases to be initiated by the Department of Children, Youth and Families (DCYF) for children in the State’s custody or known through DCYF programs. DHS indicated that current processes do not require documentation of eligibility for applicants initiated by DCYF to be included in RIBridges. Our position is that documentation supporting eligibility for all CCDF program applicants should be supported by RIBridges.
Cause: RIBridges does not prevent a case from being approved for eligibility for missing required documents. Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined.
Effect: Noncompliance with childcare eligibility requirements. The parental income/co-shares could be incorrectly determined. Failure to end benefits timely due to income changes.
Questioned Costs: $35,911
Valid Statistical Sample: Yes
RECOMMENDATION
2024-054 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CCDF CLUSTER – 93.575, 93.596
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2301RICCDF; 2401RICCDF
Administered by: Rhode Island Department of Human Services (DHS)
Compliance Requirement: Special Tests and Provisions – Health and Safety
NONCOMPLIANCE WITH HEALTH AND SAFETY REQUIREMENTS
The DHS Office of Child Care’s (OCC) monitoring policies and procedures are not ensuring childcare provider compliance with health and safety standards.
Background: The Department of Human Services (DHS), the lead agency, operates the Office of Child Care (OCC) which administers the Child Care Assistance program as well as the licensing and monitoring of participating child care centers. DHS has adopted formalized licensure and health and safety policies and procedures designed to ensure compliance with 45 CFR §98.41, Health and safety requirements.
In addition to OCC provider case file reviews in fiscal 2024, the Office of the Auditor General conducted site visits to a sample of Family Child Care (FCC) and Child Care Center (CCC) providers in connection with an ongoing performance audit of Child Care health and safety standards.
Criteria: 45 CFR §98.41, Health and safety requirements state that “(a) Each Lead Agency shall certify that there are in effect, within the State (or other area served by the Lead Agency), under State, local or tribal law, requirements (appropriate to provider setting and age of children served) that are designed, implemented, and enforced to protect the health and safety of children. Such requirements must be applicable to child care providers of services for which assistance is provided under this part.” 45 CFR §98.41 details the minimum health and safety topics that need to be covered by State Child Care rules and regulations.
RI Code of Regulations, Title 218, Department of Human Services, Chapter 70, Office of Child Care Licensing, Parts 1 and 2, mandate licensing standards for Child Care Centers and Family Child Care Centers.
Condition: While DHS has comprehensive policies and procedures adopted in relation to Child Care program Health and Safety standards, our audit identified varying levels of compliance with those policies and procedures when reviewing provider case files and visiting child care providers. Our sample of 50 providers noted the following noncompliance with OCC health and safety requirements:
• 34 of 50 (68%) providers reviewed lacked documentation of background record checks;
• 17 of 50 (34%) providers reviewed lacked documentation of child immunization records for non-school age children (immunization records were not documented for 46 out of 439 or 10.4% of children reviewed at the selected providers);
• 5 of 50 (10%) providers did not have an emergency preparedness and response plan that addressed all required components;
• 9 of 30 (30%) providers with infant care were noted to have unallowable items in the facility cribs;
• 20 of 50 (40%) providers did not have toxic substances clearly labeled and in a secure area; and
• 22 of 50 (44%) providers did not have complete developmental histories for children in their care (developmental histories were not documented for 61 out of 336 children or 18.2% of children reviewed at the selected providers).
Child care provider compliance was found to be high for requirements for liability insurance coverage, fire inspections, lead inspections, and radon inspections.
Cause: DHS OCC monitoring policies and procedures are not ensuring child care provider compliance with health and safety standards.
Effect: Noncompliance with child care provider health and safety requirements designed to ensure the health and safety of children covered under the Child Care and Development Fund program.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-055 Evaluate current monitoring procedures and resources needed to improve child care provider compliance with health and safety requirements.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP)
Operational and system deficiencies, including eligibility processing modifications implemented due to public health emergency (PHE) regulations and policy modifications that extended into fiscal year 2024, resulted in noncompliance with federal regulations relating to CHIP eligibility.
Background: Medical benefit expenditures claimed to CHIP totaled $147.5 million in fiscal 2024. Benefit expenditures mainly constituted managed care capitation payments for CHIP eligible individuals. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted PHE unwinding procedures, which required a phased rollout of eligibility redetermination procedures during fiscal 2024.
Eligibility for CHIP is mainly determined through the State’s integrated eligibility system, RIBridges. Individuals are assigned CHIP eligible aid categories, which are then communicated to the Medicaid Management Information System (MMIS) where fee-for-service claims and managed care capitation (i.e., healthcare premiums) are paid on behalf of the individuals. The MMIS allocates expenditures for claims and capitation based on the individual’s aid category.
Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance.
Condition: While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $5.8 million in federal expenditures) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility.
For fiscal 2024, we tested a sample of 60 CHIP eligible members (population of individuals with reported CHIP eligibility during fiscal year 2024 totaled 52,198). Fee-for-service and managed care capitation payments for fiscal 2024 approximated $20.4 million (federal share - $14.1 million) and $119.1 million (federal share - $82.2 million), respectively. Of the 60 cases (eligibility segment for sampled CHIP members) sampled, our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP:
• Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking (2 cases; questioned costs - $906).
• Social security number was not validated for an individual older than 12 months (1 case; questioned
costs - $172).
• The SWICA interface utilized to validate household income did not properly report in the RIBridges case record. Since RIBridges reported incomplete SWICA income, the system failed to detect that household income exceeded federal income limits for CHIP and would have been ineligible for program benefits
(1 case; questioned costs - $344).
• Citizenship was not documented. This child should have been covered under the State program since ineligible for Medicaid or CHIP (1 case; questioned costs - $524).
• Eligibility determination was impacted by eligibility technician (ET) worker errors. Errors included failure to 1) redetermine the case when household member turned 19 years old and 2) end date an employment segment when the household member lost employment. In these cases, household income would have made the child eligible for Medicaid not CHIP (2 cases; questioned costs - $2,483).
• Eligibility was determined using self-attested data when the SWICA interface reported income greater than the self-attested amounts and in excess of household income limits. No additional requests for documentation were sent to resolve the income discrepancy (3 cases; questioned costs - $1,029).
• Child should have been ineligible for CHIP due to existing third-party health coverage (3 cases; questioned costs - $2,913). See additional questioned costs determined through separate evaluation of ineligible CHIP claiming of children with third-party health insurance coverage below.
Our testing found exceptions in 13 out of 60 sampled cases resulting in an error rate of 21.7%. Total claims and capitation paid for sample cases total $182,283 (federal share - $125,775). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for CHIP reimbursement totaled $8,371 or 6.7% of claiming for sampled CHIP individuals. Our test results supported projected questioned costs estimated at $9,284,114 (federal share - $6,408,360).
In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent found 609 children charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2024 for those members totaled $1,829,447 (questioned costs - $1,262,318). The State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, the functionality did not effectively ensure that only uninsured children were charged to CHIP funding sources in fiscal 2024.
Deficiencies in program controls to ensure that children aged out of CHIP at age 19 continued to be noted during fiscal 2024. An analysis of children charged to CHIP during fiscal 2024, age 19 (plus 3 months to allow for notice and redetermination) or older noted 229 individuals with managed care capitation payments claimed to CHIP totaling $771,916 (questioned costs - $532,622). While PHE unwinding procedures reduced noncompliance in this area from the prior year, significant noncompliance was still noted during fiscal 2024.
Based on our sample testing exception noted above, we analyzed instances where children initially coded eligible with expenditures funded under CHIP were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 132 cases within CHIP during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
The cumulative noncompliance identified by our testing procedures over CHIP eligibility was deemed to represent material noncompliance with CHIP program eligibility requirements.
Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage, failure to follow up on PARIS notifications), ET error, or insufficient documentation supporting eligibility within the case record (i.e., lack of income and citizenship documentation).
Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP.
Questioned Costs: $1,803,311
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-056a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration, PARIS notification follow-up) to strengthen controls and ensure compliance with federal regulations regarding CHIP eligibility.
2024-056b Identify ET worker errors and case documentation deficiencies and conduct training to address common issues leading to incorrect or unsupported eligibility determinations.
2024-056c Identify ineligible CHIP costs and return to the federal grantor.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP)
Operational and system deficiencies, including eligibility processing modifications implemented due to public health emergency (PHE) regulations and policy modifications that extended into fiscal year 2024, resulted in noncompliance with federal regulations relating to CHIP eligibility.
Background: Medical benefit expenditures claimed to CHIP totaled $147.5 million in fiscal 2024. Benefit expenditures mainly constituted managed care capitation payments for CHIP eligible individuals. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted PHE unwinding procedures, which required a phased rollout of eligibility redetermination procedures during fiscal 2024.
Eligibility for CHIP is mainly determined through the State’s integrated eligibility system, RIBridges. Individuals are assigned CHIP eligible aid categories, which are then communicated to the Medicaid Management Information System (MMIS) where fee-for-service claims and managed care capitation (i.e., healthcare premiums) are paid on behalf of the individuals. The MMIS allocates expenditures for claims and capitation based on the individual’s aid category.
Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance.
Condition: While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $5.8 million in federal expenditures) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility.
For fiscal 2024, we tested a sample of 60 CHIP eligible members (population of individuals with reported CHIP eligibility during fiscal year 2024 totaled 52,198). Fee-for-service and managed care capitation payments for fiscal 2024 approximated $20.4 million (federal share - $14.1 million) and $119.1 million (federal share - $82.2 million), respectively. Of the 60 cases (eligibility segment for sampled CHIP members) sampled, our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP:
• Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking (2 cases; questioned costs - $906).
• Social security number was not validated for an individual older than 12 months (1 case; questioned
costs - $172).
• The SWICA interface utilized to validate household income did not properly report in the RIBridges case record. Since RIBridges reported incomplete SWICA income, the system failed to detect that household income exceeded federal income limits for CHIP and would have been ineligible for program benefits
(1 case; questioned costs - $344).
• Citizenship was not documented. This child should have been covered under the State program since ineligible for Medicaid or CHIP (1 case; questioned costs - $524).
• Eligibility determination was impacted by eligibility technician (ET) worker errors. Errors included failure to 1) redetermine the case when household member turned 19 years old and 2) end date an employment segment when the household member lost employment. In these cases, household income would have made the child eligible for Medicaid not CHIP (2 cases; questioned costs - $2,483).
• Eligibility was determined using self-attested data when the SWICA interface reported income greater than the self-attested amounts and in excess of household income limits. No additional requests for documentation were sent to resolve the income discrepancy (3 cases; questioned costs - $1,029).
• Child should have been ineligible for CHIP due to existing third-party health coverage (3 cases; questioned costs - $2,913). See additional questioned costs determined through separate evaluation of ineligible CHIP claiming of children with third-party health insurance coverage below.
Our testing found exceptions in 13 out of 60 sampled cases resulting in an error rate of 21.7%. Total claims and capitation paid for sample cases total $182,283 (federal share - $125,775). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for CHIP reimbursement totaled $8,371 or 6.7% of claiming for sampled CHIP individuals. Our test results supported projected questioned costs estimated at $9,284,114 (federal share - $6,408,360).
In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent found 609 children charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2024 for those members totaled $1,829,447 (questioned costs - $1,262,318). The State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, the functionality did not effectively ensure that only uninsured children were charged to CHIP funding sources in fiscal 2024.
Deficiencies in program controls to ensure that children aged out of CHIP at age 19 continued to be noted during fiscal 2024. An analysis of children charged to CHIP during fiscal 2024, age 19 (plus 3 months to allow for notice and redetermination) or older noted 229 individuals with managed care capitation payments claimed to CHIP totaling $771,916 (questioned costs - $532,622). While PHE unwinding procedures reduced noncompliance in this area from the prior year, significant noncompliance was still noted during fiscal 2024.
Based on our sample testing exception noted above, we analyzed instances where children initially coded eligible with expenditures funded under CHIP were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 132 cases within CHIP during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
The cumulative noncompliance identified by our testing procedures over CHIP eligibility was deemed to represent material noncompliance with CHIP program eligibility requirements.
Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage, failure to follow up on PARIS notifications), ET error, or insufficient documentation supporting eligibility within the case record (i.e., lack of income and citizenship documentation).
Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP.
Questioned Costs: $1,803,311
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-056a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration, PARIS notification follow-up) to strengthen controls and ensure compliance with federal regulations regarding CHIP eligibility.
2024-056b Identify ET worker errors and case documentation deficiencies and conduct training to address common issues leading to incorrect or unsupported eligibility determinations.
2024-056c Identify ineligible CHIP costs and return to the federal grantor.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
INTERNAL CONTROLS OVER COST ALLOCATION
Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations.
Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS, which claims the expenditures on federal reports. Agencies periodically adjust administrative expenditures reported in the State accounting system to align with the administrative costs determined through their respective cost allocation systems.
Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations.
Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included:
• Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely;
• Supervisory review and monitoring was lacking or not formalized, as most agency cost allocation systems are operated by one individual; and
• Monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance is not being performed.
During our audit, reconciliations for prior period administrative claiming for BHDDH were ongoing to correct expenditures claimed in prior periods. Amounts claimed in prior quarters were not based on final cost allocation results and BHDDH did not provide the necessary reporting adjustments to correct prior period claiming.
Cause: Controls over allocation of administrative costs claimed to Medicaid and CHIP were not effective to ensure compliance with federal regulations.
Effect: Potential noncompliance with federal requirements relating to allowable costs.
Questioned Costs: Undetermined
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-057 Improve internal controls over administrative claiming to federal programs by 1) completely documenting cost allocation policies and procedures, 2) reconciling quarterly cost allocation results to the State accounting system, and 3) enhancing supervision and monitoring of the cost allocation process.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Managed Care Financial Audit
MANAGED CARE FINANCIAL AUDIT
The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m).
Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs:
• 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.”
• 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.”
Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods beginning on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with.
The State achieved compliance with the federal requirements for the periodic audit of encounter data in fiscal 2023 by contracting for its first study of MCO encounter data validation. The encounter data validation study evaluated incomplete data, performed missing data quality checks, and assessed the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans represent efforts to improve the overall quality of financial and claim data submitted by the State’s managed care organizations.
Cause: Failure to implement federal requirements by the stated effective date.
Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-058a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports.
2024-058b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Special Tests and Provision – Provider Eligibility
PROVIDER ELIGIBILITY
Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility.
Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires:
(a) The State Medicaid agency must require all enrolled providers to be screened under this subpart.
(b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers.
(c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of other States.
(d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency.
42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must:
(a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State.
(b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license.
42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases.
(b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe.
(c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) check the LEIE and EPLS no less frequently than monthly.
42 CFR §488.330, Certification of compliance or noncompliance, (f) Provider Agreements, requires CMS or the Medicaid agency may execute a provider agreement when a prospective provider is in substantial compliance with all the requirements for participation for a SNF or NF, respectively.
42 CFR §442.101, Obtaining certification, (a) This section states the requirements for obtaining notice of an ICF/IID's certification before a Medicaid agency executes a provider agreement under §442.12.
Condition: Our testing of 60 sampled fee-for-service and managed care organization providers for provider eligibility during fiscal 2024 noted the following control deficiencies relating to provider eligibility that need to be addressed:
• Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from BHDDH resulting in a weakness in control for this segment of providers.
• Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual licensing data from DCYF resulting in a weakness in control for this segment of providers.
• 4 out of 60 providers sampled noted instances where providers remained active during fiscal 2024 after provider licenses had expired, evidencing a deficiency in internal control relating to timely provider deactivation if provider licensure is not evidenced. No claims were paid to these providers thus noncompliance was not noted.
• Our review of provider licensure disciplinary actions taken by the RI Department of Health during fiscal 2024 identified 3 instances where provider licenses remained active after the provider’s license was revoked or suspended. There are no current processes that ensure that providers are made inactive in a timely manner upon license suspension or revocation.
• Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. This deficiency in internal controls over provider eligibility prevents the detection of claiming submitted by unenrolled providers. Our testing noted 4 managed care providers that were not enrolled in the Medicaid Program as required by federal regulations resulting in noncompliance with provider eligibility requirements (questioned costs - $3,371). All 4 providers were out-of-state providers required to be enrolled under federal regulations based on the volume of services billed to RI Medicaid. Implementing this additional edit when processing encounter data would improve controls over compliance.
• For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim, in limited circumstances, to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-state providers with limited claiming activity.
• The State did not have documentation supporting review of the SSA Death Master file for 19 out of the 60 providers we tested.
• Federal regulations require States to check federal databases on a monthly basis for providers excluded from participating in federal programs. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State was not performing monthly checks during fiscal 2024.
• Federal regulations require the Medicaid agency to execute provider agreements with nursing facility providers and intermediate care facilities for individuals with intellectual disabilities (ICF/IID) upon receiving notification from the State survey and certification unit that the provider has been certified in substantial compliance with federal health and safety regulations. The State Medicaid agency lacked documentation of a finalized provider agreements and approval letters to providers in 6 out of 18 providers reviewed. In respect to the State’s only ICF/IID facility, the State Medicaid agency was not monitoring the RI Department of Health’s (RIDOH) certification process and had no documentation from RIDOH regarding the facility’s health and safety certification. All providers were recertified by RIDOH and compliant with program health and safety requirements.
Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations.
Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks.
Questioned Costs: $3,371
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-059 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS
See related Financial Statement Finding 2024-005.
Capitation payments to managed care organizations (MCOs) represent approximately 57% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures.
Background: Medicaid expenditures for members enrolled in managed care during fiscal 2024 approximated $2.1 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for more than 300,000 Medicaid eligible members – approximately 87% of total Medicaid enrollees at June 30, 2024. These capitation payments related to the following managed care programs within the State’s Medicaid program:
[See table within Finding]
In addition to capitation for medical services, RI Medicaid also expends over $30 million in premiums for dental coverage through the RIte Smiles program for more than 130,000 children in the Rite Care program. Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid.
Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs.
Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls.
Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements).
Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP:
• Finding 2024-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process.
• Finding 2024-058, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with federal requirements for contracted MCOs to submit audited financial reports specific to the Medicaid contract on an annual basis continue to represent a deficiency in internal control over managed care contract settlements.
Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates.
In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2023 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. While the amount of claiming submitted by encounter data continued to improve, medical expenditures reported by the MCOs still exceeded submitted encounter data by $15.3 million in fiscal 2024. The following table provides context regarding the amount of medical expenditures that were not supported by encounter data in fiscal 2023 contract settlements.
[See table within Finding]
Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State.
The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures.
Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments.
Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-060 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impact financial settlements with managed care organizations.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Reporting
FEDERAL REPORTING
Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs.
Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State accounting system (RIFANS) is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs.
Condition: Reviews of federal reports for fiscal 2024 noted the following reporting deficiencies:
• Approximately $8.4 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs.
• Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards.
• Healthcare related taxes and fees were reported quarterly for all identified healthcare related taxes required to be reported on the CMS-64 report in fiscal 2024. Testing of reports in fiscal 2024, however, identified errors which resulted in understatements of nursing home and HMO provider taxes in the amounts of $6.6 million and $18.3 million, respectively. The reporting of healthcare related taxes and fees is informational only, and therefore, does not affect the actual reporting of federal expenditures applicable to Medicaid.
Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Internal controls in the form of supervisory review of reporting are lacking to identify and correct errors in report preparation.
Effect: Increased risk of inaccurate federal reporting.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATIONS
2024-061a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system.
2024-061b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis.
2024-061c Implement procedures for supervisory review of all federal reports before submission.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE
The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance.
Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs.
Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members.
With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program.
Condition: During fiscal 2024, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. Our procedures evaluated only TPL coverages that were consistent with the State’s managed care coverage.
We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our testing during fiscal 2024 found that the State’s three managed care organizations were unaware of existing private insurance for 48.3% (29 out of 60) of their covered members. These results showed a significant decline in MCO TPL verification from fiscal 2023.
Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations.
Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs.
Questioned Costs: None
Valid Statistical Sampling: Yes
RECOMMENDATION
2024-062 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES
The Executive Office of Health and Human Services (EOHHS) needs to formalize and document internal control procedures to ensure local education agency (LEA) compliance with Medicaid requirements relating to the allowability of special education services.
Criteria: 2 CFR §200.303 Internal controls, requires the State to “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), (b) comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award, (c) evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards, and (d) take prompt action when instances of noncompliance are identified.”
Condition: EOHHS did not conduct periodic site visits to LEAs during fiscal 2024. EOHHS has well established policies and procedures relating to its oversight of special education services which are detailed in Direct and Administrative Services Guidebooks for LEAs. Without periodic site visits or other documented control procedures designed to ensure local education agency compliance with the Medicaid policies and procedures that define the requirements for the allowability of special education services, internal controls are currently lacking over compliance in this area. In formalizing internal controls, EOHHS will be able to define the appropriate amount of oversight needed to ensure compliance with requirements for LEA special education services.
Cause: Lack of documented internal controls over LEA direct and administrative claiming.
Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-063 Document and implement internal controls to ensure the allowability of special education services for reimbursement by Medicaid.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5021, 2305RI3002; 2405RI5021
Administered by: Executive Office of Health and Human Services (EOHHS)
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
MEDICAID ELIGIBILITY QUALITY CONTROL
EOHHS did not comply with 42 CFR §431.812(a) requiring the conduction of the Medicaid Eligibility Quality Control (MEQC) process to function independently from the personnel that are responsible for eligibility determination processes.
Criteria: 42 CFR §431.812(a), Review Procedures – General Requirements, Internal controls, requires the State “to conduct a MEQC pilot during the 2 years between required PERM cycles in accordance with the approved pilot planning document specified in §431.814, as well as other instructions established by CMS. The agency and personnel responsible for the development, direction, implementation, and evaluation of the MEQC reviews and associated activities, must be functionally and physically separate from the State agencies and personnel that are responsible for Medicaid and CHIP policy and operations, including eligibility determinations.”
Condition: Due to staffing limitations within the MEQC unit, eligibility supervisors from the Department of Human Service (DHS) were utilized to conduct MEQC case reviews during fiscal 2024. Since those supervisors directly oversee the processing of Medicaid eligibility within DHS field offices, this represented noncompliance with federal requirements. Our review of the MEQC case reviews found that the reviews were performed in accordance with the department’s policies and procedures and that the results of the reviews performed were consistent with our own testing of CHIP and Medicaid eligibility requirements, citing many of the same deficiencies.
Cause: Lack of MEQC unit staffing required the use of staff that was not organizationally independent of the program’s eligibility determination processes.
Effect: Noncompliance with federal regulations relating to the operation of MEQC processes within the Medicaid program.
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-064 Address staffing deficiencies within the MEQC unit to provide for organizationally independent staff to conduct required quality control procedures.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Eligibility
CONTROLS OVER MEDICAID ELIGIBILITY
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Background: RIBridges, the State’s integrated eligibility system (IES) used to administer multiple federally funded human services programs, determines eligibility for Medicaid. Certain modifications to program eligibility requirements remained in place to some extent as the State conducted public health emergency (PHE) unwinding procedures requiring a phased rollout of member eligibility redeterminations during fiscal 2024.
Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver).
42 CFR §435.940 through §435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan.
Medicaid Modified Adjusted Gross Income (MAGI) Determination and Validation policies are formalized within Title 210, Executive Office of Health and Human Services, of the RI Code of Regulations, Chapter 30, Subchapter 00, Part 5, Policy 5.8, Verification Process. Part B of Policy 5.8 states:
"B. The following lists key eligibility factors, the types of verification required for attestations, if any, and the verification sources for Medicaid Affordable Care Coverage (MACC) Group applicants/beneficiaries:
1. Identity – An applicant must provide proof of identity when applying through the IES or filing a paper application. The requirements related to identity proofing are set forth in Part 30-00-3 of Title 210. Certain applicants may not be able to obtain identity proofing through the federal hub due to data limitations. Pre-eligibility verification is required through an alternative electronic paper documentation source in these instances to establish an account.
2. Income – Electronic verification of attested income is required by the State. Multiple electronic data sources may be used for this purpose. In general, State data sources (such as State Wage Information Collection Agency (SWICA) UI) will be used first. The reasonable compatibility standard applies when there are discrepancies between the applicant’s income self-attestation and information from electronic data sources.
3. General Eligibility – Non-Financial Factors – (Social Security Numbers, Age, Citizenship, Death, Date of Birth, Residency, and Incarceration). Information on these eligibility factors is verified against various State and federal data sources. Information specific to verification requirements for MAGI populations is located in Part 30-00-3 of Title 210; for Medicaid and CHIP-funded eligibility more generally, the applicable provisions are set forth in Part 30-00-3 of Title 210."
Condition: For fiscal 2024, we tested a sample of 60 Medicaid eligible members (total population of individuals with reported Medicaid eligibility during fiscal year 2024 totaled 364,142) for compliance with program eligibility. Total capitation payments claimed to Medicaid exceeded $2.1 billion (federal share - $1.4 billion) during fiscal 2024. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically:
• Inconsistencies with the operation of the SWICA interface were noted in 2 out of 60 cases (questioned costs - $557). Income verified in the case record or reported by the SWICA interface, if utilized to determine eligibility, would have made the members ineligible for Medicaid.
• Documentation supporting applicant citizenship (e.g., electronic Social Security Administration validation or applicant submitted documentation) was lacking in 3 out of 60 cases (questioned costs - $17,877).
• Members were determined ineligible in RIBridges, however, the change in eligibility status was not communicated to the MMIS in 2 out of the 60 cases. These members remained continuously Medicaid eligible in the MMIS and enrolled in managed care (questioned costs - $1,084).
As noted above, eligibility was determined to be incorrect or unsupported in 7 of 60 sample members tested (11.7% error rate). Total claims and capitation paid for sample cases total $344,149 (federal share - $231,147). Questioned costs relating to sample cases for fiscal 2024 periods deemed ineligible for Medicaid reimbursement totaled $19,518 or 6.5% of claiming for sampled Medicaid individuals. Our test results supported projected questioned costs estimated at $234 million (federal share - $157 million). Our sample error rate of 11.7% was comparable to the 15% reported case error rate noted by the Medicaid Eligibility Quality Control unit’s review of calendar year 2023 cases.
In addition to evaluating eligibility determinations, we also tested recipient eligibility in conjunction with our testing of managed care capitation payments. Our testing of sampled managed care payments in fiscal 2024 also noted an exception where capitation payments totaling $3,784 (federal share - $2,119) were made for an ineligible individual. In this instance, RIBridges determined the individual ineligible for Medicaid but eligibility was not ended in the MMIS, allowing capitation payments to continue.
We also noted the following exceptions during our case reviews that were indicative of eligibility processing deficiencies but did not impact member eligibility for Medicaid:
• Member’s eligibility was terminated in error and had to be reinstated;
• Mismatch of Social Security Number between MMIS and RIBridges;
• Income from lost employment was utilized in household income in error;
• Member eligibility aid categories were not properly updated when redetermined;
• Case information submitted by member was not properly updated in case record; and
• Certain system tasks were not acted upon in a timely manner.
These exceptions should be evaluated by management and addressed as they could have impacted the member’s eligibility determination.
In addition to noncompliance, identified by our sample audit procedures above, we also performed data mining procedures which identified the following noncompliance with eligibility requirements:
Since income verification was noted as a significant issue in our sample testing, we conducted additional data mining procedures to further evaluate the operating effectiveness of the SWICA interface within RIBridges. Our analysis identified individuals with quarterly income in excess of $20,000 reported in the SWICA file obtained from the RI Department of Labor and Training for 5 consecutive quarters (quarter ending June 30, 2023 through the quarter ending June 30, 2024) that had Medicaid eligibility for the entirety of fiscal 2024. Our analysis identified 144 individuals with reported annual income in excess of $80,000 where excess income was not detected and individuals remained eligible as of June 30, 2024. EOHHS will need to review these cases and determine why the system functionality did not operate effectively. These cases will also need follow-up to provide proper member notification and eligibility redetermination.
The State continued to claim Medicaid Expansion enhanced reimbursement (90% Federal Medical Assistance Percentage) for certain members older than 65 during fiscal 2024. Our analysis identified 91 members where RI Medicaid failed to redetermine eligibility at age 65 - 33 of these members were older than age 67. We identified $559,374 in capitation paid for these members after the age of 65 (federal questioned costs - $503,437). While this issue was improved in fiscal 2024 by Medicaid members being redetermined during the PHE unwinding process, controls were still found lacking to ensure that individuals were aged out of Medicaid Expansion upon turning age 65.
During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2024 to determine the State’s timeliness of terminating eligibility for deceased members. The Do Not Pay service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 1,706 deceased members (reported date of death prior to March 31, 2024 to allow for 90 days for identification and notification requirements) still active on Medicaid at June 30, 2024. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2024 subsequent to the month of death is summarized as follows:
[See table within Finding]
While PHE unwinding procedures also led to some improvements during fiscal 2024, controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length of time that payments are continuing is significant and could span managed care contract settlement periods. To provide context on how long capitation payments can continue when member death is not detected timely, our analysis identified 457 members that had reported dates of death greater than 2 years. We identified capitation payments totaling $2.7 million for deceased members that would be considered unallowable Medicaid payments (federal questioned costs - $1,602,490).
We also analyzed instances where children initially coded eligible with expenditures funded under Medicaid were re-coded and remained coded at year-end to a State coverage program titled “Cover All Kids.” Cover All Kids provides State-funded eligibility for undocumented children residing in the State that otherwise meet Medicaid and CHIP eligibility requirements. Our analysis found that the coding error impacted approximately 282 cases within Medicaid during fiscal 2024. EOHHS will need to conduct case level reviews of these cases to determine questioned costs incurred for undocumented children and credit the federal grantor for those costs.
Lastly, as a follow-up to our joint audit with the federal Department of Health and Human Services, Office of Inspector General, issued in March 2024, which evaluated the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality and related control processes designed to follow up on Public Assistance Reporting Information System (PARIS) notifications remained ineffective through fiscal 2024. The amount of capitation paid for members no longer residing in the State was not determinable during our audit period. EOHHS will need to re-establish its procedures to attempt communication with members reported through PARIS to comply with federal procedural requirements before terminating eligibility.
Operational and control deficiencies during fiscal 2024 resulted in material noncompliance with federal regulations relating to Medicaid eligibility.
Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Significant differences in eligibility reported between the MMIS and RIBridges also resulted in noncompliance with federal requirements for eligibility.
Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid.
Questioned Costs: $2,127,564
Valid Statistical Sampling: Yes
RECOMMENDATIONS
2024-065a Address and correct the eligibility system and process deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, citizenship verification, death reporting, PARIS reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility.
2024-065b Implement procedures to identify noncompliance resulting from eligibility system and process deficiencies so that cases can be worked manually to resolve long-standing instances of noncompliance detected by external audits and MEQC processes.
2024-065c Identify ineligible Medicaid costs and return to the federal grantor.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER STATE HOSPITAL CLAIMING
Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort.
Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim.
Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined.
Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort.
Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare).
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort.
MEDICAID CLUSTER – 93.775, 93.777, 93.778
Federal Awarding Agency: U.S. Department of Health and Human Services (HHS)
Federal Award Fiscal Years: 2023; 2024
Federal Award Number: 2305RI5MAP; 2405RI5MAP
Administered by: Executive Office of Health and Human Services (EOHHS)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER STATE HOSPITAL CLAIMING
Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort.
Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim.
Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined.
Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort.
Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare).
Questioned Costs: None
Valid Statistical Sampling: Not Applicable
RECOMMENDATION
2024-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER PROJECT WORKBOOK REIMBURSEMENT SUBMISSIONS
Controls over project workbook submissions for reimbursement of eligible costs were not operating effectively to ensure all claimed costs were accurately documented, leading to reimbursement of unallowable costs.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, assists in the facilitation of cost reimbursement claims for the various departments and agencies within the State. Comprehensive workbooks are used to account for the itemized costs being claimed for reimbursement and are included as support to the reimbursement claim made through the FEMA Grants Portal.
Criteria: 2 CFR §200.403(g) requires that allowable costs under federal awards be adequately documented.
Condition: We selected a sample of 23 federal award drawdowns (cost reimbursement claims) during fiscal 2024, covering 96% of the population across 11 unique projects. Our testing of project workbook submissions found two discrepancies within project 694201 between amounts claimed for reimbursement in the workbooks and amounts recorded in the State accounting system and noted in supporting documentation:
• One line item for a claimed invoice appeared to have keyed an additional digit onto the claimed amount in error (questioned costs – $211,751).
• Another invoice appeared to transpose the incorrect column to the workbook in three out of four claimed line items (questioned costs – $117,352).
Cause: Review of project workbook submissions and supporting documentation was inadequate to identify claimed costs in excess of expenditures incurred by the State.
Effect: Reimbursement of costs that were not incurred by the State.
Questioned Costs: $329,103
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-067a Improve review procedures to ensure accuracy of workbook reimbursement submissions to FEMA.
2024-067b Credit the federal grantor for unallowable costs that were reimbursed.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Allowable Costs/Cost Principles
CONTROLS OVER PROJECT WORKBOOK REIMBURSEMENT SUBMISSIONS
Controls over project workbook submissions for reimbursement of eligible costs were not operating effectively to ensure all claimed costs were accurately documented, leading to reimbursement of unallowable costs.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, assists in the facilitation of cost reimbursement claims for the various departments and agencies within the State. Comprehensive workbooks are used to account for the itemized costs being claimed for reimbursement and are included as support to the reimbursement claim made through the FEMA Grants Portal.
Criteria: 2 CFR §200.403(g) requires that allowable costs under federal awards be adequately documented.
Condition: We selected a sample of 23 federal award drawdowns (cost reimbursement claims) during fiscal 2024, covering 96% of the population across 11 unique projects. Our testing of project workbook submissions found two discrepancies within project 694201 between amounts claimed for reimbursement in the workbooks and amounts recorded in the State accounting system and noted in supporting documentation:
• One line item for a claimed invoice appeared to have keyed an additional digit onto the claimed amount in error (questioned costs – $211,751).
• Another invoice appeared to transpose the incorrect column to the workbook in three out of four claimed line items (questioned costs – $117,352).
Cause: Review of project workbook submissions and supporting documentation was inadequate to identify claimed costs in excess of expenditures incurred by the State.
Effect: Reimbursement of costs that were not incurred by the State.
Questioned Costs: $329,103
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-067a Improve review procedures to ensure accuracy of workbook reimbursement submissions to FEMA.
2024-067b Credit the federal grantor for unallowable costs that were reimbursed.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
Controls were not in place to ensure adequate monitoring of subrecipients throughout the fiscal year.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, disburses pass-through awards to various subrecipients for their respective cost reimbursements. These cost reimbursement awards are required to be reported on the State’s Schedule of Expenditures of Federal Awards and accordingly are subject to the subrecipient monitoring requirements of the Uniform Guidance.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Condition: RIEMA did not perform required subrecipient monitoring procedures during the majority of fiscal 2024. In April 2024, RIEMA implemented a tracking worksheet to review subrecipient audit reports submitted to the Federal Audit Clearinghouse as part of the review process of subrecipient project submissions. The tracking worksheet identifies the date the review of the FAC was performed and whether any findings related to the program were reported. RIEMA implemented these procedures as corrective actions to address prior year findings relating to subrecipient monitoring.
Cause: Monitoring procedures were not in place for a substantial portion of the audit period.
Effect: RIEMA did not monitor subrecipients for a material portion of the fiscal year.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-068a Complete implementation of subrecipient monitoring procedures by improving the detail maintained in the tracking worksheet to provide more transparency as to what was reviewed (e.g., audit year reviewed, FAC submission date, documentation of control deficiencies related to the financial statements).
2024-068b RIEMA will also need to document its review of subrecipient audit reports including follow-up on findings reported in Single Audit Reports and issuing management decisions when required.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Subrecipient Monitoring
SUBRECIPIENT MONITORING
Controls were not in place to ensure adequate monitoring of subrecipients throughout the fiscal year.
Background: RIEMA, as the direct recipient agency of Public Assistance grants provided by FEMA, disburses pass-through awards to various subrecipients for their respective cost reimbursements. These cost reimbursement awards are required to be reported on the State’s Schedule of Expenditures of Federal Awards and accordingly are subject to the subrecipient monitoring requirements of the Uniform Guidance.
Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.
Condition: RIEMA did not perform required subrecipient monitoring procedures during the majority of fiscal 2024. In April 2024, RIEMA implemented a tracking worksheet to review subrecipient audit reports submitted to the Federal Audit Clearinghouse as part of the review process of subrecipient project submissions. The tracking worksheet identifies the date the review of the FAC was performed and whether any findings related to the program were reported. RIEMA implemented these procedures as corrective actions to address prior year findings relating to subrecipient monitoring.
Cause: Monitoring procedures were not in place for a substantial portion of the audit period.
Effect: RIEMA did not monitor subrecipients for a material portion of the fiscal year.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-068a Complete implementation of subrecipient monitoring procedures by improving the detail maintained in the tracking worksheet to provide more transparency as to what was reviewed (e.g., audit year reviewed, FAC submission date, documentation of control deficiencies related to the financial statements).
2024-068b RIEMA will also need to document its review of subrecipient audit reports including follow-up on findings reported in Single Audit Reports and issuing management decisions when required.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FINANCIAL REPORTING
Controls over federal financial reporting can be enhanced to ensure submitted reports are accurate for the period activity being reported.
Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records.
Condition: With exception to the Recipient Share portion of the report, amounts reported on the March 2024 quarterly SF-425 were reflective of the amounts previously reported in the December 2023 report. An additional $9.9 million was receipted in the March quarter that was not reported. Cumulative amounts reported at State fiscal year end were accurate and complete.
Cause: A formula error in the underlying support worksheet was not detected prior to submission of the report.
Effect: Amounts reported on the SF-425 for the quarter ended March 31, 2024 were not accurate and consistent with the underlying support.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-069a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying accounting records.
2024-069b Enhance review procedures prior to submission to compare the current quarter to the previous quarter.
2024-069c Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2024, as necessary.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023
Federal Award Number: 4505DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FINANCIAL REPORTING
Controls over federal financial reporting can be enhanced to ensure submitted reports are accurate for the period activity being reported.
Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records.
Condition: With exception to the Recipient Share portion of the report, amounts reported on the March 2024 quarterly SF-425 were reflective of the amounts previously reported in the December 2023 report. An additional $9.9 million was receipted in the March quarter that was not reported. Cumulative amounts reported at State fiscal year end were accurate and complete.
Cause: A formula error in the underlying support worksheet was not detected prior to submission of the report.
Effect: Amounts reported on the SF-425 for the quarter ended March 31, 2024 were not accurate and consistent with the underlying support.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATIONS
2024-069a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying accounting records.
2024-069b Enhance review procedures prior to submission to compare the current quarter to the previous quarter.
2024-069c Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2024, as necessary.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) REPORTING
Controls over FFATA reporting can be enhanced to ensure timely and complete reporting of subawards issued during the fiscal year.
Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS).
Condition: Subaward information entered into the FSRS and made publicly available via USASpending.gov was not inclusive of all subawards made during fiscal 2024. In our testing of compliance with FFATA, we noted the following exceptions:
[See table within Finding]
Cause: Controls and monitoring procedures were not effective to ensure subawards were reported in compliance with FFATA reporting requirements.
Effect: RIEMA did not sufficiently comply with the reporting requirements of FFATA.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-070 Enhance controls over FFATA reporting to ensure subawards are reported timely. Incorporate FFATA reporting procedures into existing procedures when disbursing funds to subrecipients.
DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036
Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA)
Federal Award Fiscal Year: 2020 - 2023; 2022 - 2024
Federal Award Number: 4505DRRIP00000001; 4653DRRIP00000001
Administered by: Rhode Island Emergency Management Agency (RIEMA)
Compliance Requirement: Reporting
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) REPORTING
Controls over FFATA reporting can be enhanced to ensure timely and complete reporting of subawards issued during the fiscal year.
Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS).
Condition: Subaward information entered into the FSRS and made publicly available via USASpending.gov was not inclusive of all subawards made during fiscal 2024. In our testing of compliance with FFATA, we noted the following exceptions:
[See table within Finding]
Cause: Controls and monitoring procedures were not effective to ensure subawards were reported in compliance with FFATA reporting requirements.
Effect: RIEMA did not sufficiently comply with the reporting requirements of FFATA.
Questioned Costs: None
Valid Statistical Sample: Not Applicable
RECOMMENDATION
2024-070 Enhance controls over FFATA reporting to ensure subawards are reported timely. Incorporate FFATA reporting procedures into existing procedures when disbursing funds to subrecipients.