Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests and Provisions – Bonding Requirements for Recipients
Significant Deficiency in Internal Control over Compliance and Noncompliance
Criteria: 45 CFR 1629 requires the auditee be bonded or have similar insurance coverage to indemnify recipients against losses resulting from fraudulent or dishonest acts committed by one or more employees, officers, directors, agents, volunteers, and third‐party contractors who handle LSC funds. The auditee must carry coverage at a minimum level of at least ten percent of its annualized funding level for the previous fiscal year.
Condition: The Organization’s fidelity bond coverage for 2024 does not meet the minimum level of at least ten percent of its annualized funding level for the previous fiscal year. Minimum coverage required during 2024 is calculated to be $206,414. The Organization’s fidelity bond coverage during 2024 is $200,000.
Cause: There was a lapse in oversight of the internal control process ensuring the fidelity bond coverage meets the minimum level required based upon the annualized funding level for the previous fiscal year.
Effect: Lack of compliance with minimum fidelity bond coverage could result in the Organization not being properly insured in the event of losses resulting from fraudulent or dishonest acts.
Questioned Costs: None reported.
Context/Sampling: No sampling was performed.
Repeat Finding from Prior Year: No
Recommendation: We recommend management review and increase their fidelity bond coverage to ensure compliance with the federal requirements.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests and Provisions – Bonding Requirements for Recipients
Significant Deficiency in Internal Control over Compliance and Noncompliance
Criteria: 45 CFR 1629 requires the auditee be bonded or have similar insurance coverage to indemnify recipients against losses resulting from fraudulent or dishonest acts committed by one or more employees, officers, directors, agents, volunteers, and third‐party contractors who handle LSC funds. The auditee must carry coverage at a minimum level of at least ten percent of its annualized funding level for the previous fiscal year.
Condition: The Organization’s fidelity bond coverage for 2024 does not meet the minimum level of at least ten percent of its annualized funding level for the previous fiscal year. Minimum coverage required during 2024 is calculated to be $206,414. The Organization’s fidelity bond coverage during 2024 is $200,000.
Cause: There was a lapse in oversight of the internal control process ensuring the fidelity bond coverage meets the minimum level required based upon the annualized funding level for the previous fiscal year.
Effect: Lack of compliance with minimum fidelity bond coverage could result in the Organization not being properly insured in the event of losses resulting from fraudulent or dishonest acts.
Questioned Costs: None reported.
Context/Sampling: No sampling was performed.
Repeat Finding from Prior Year: No
Recommendation: We recommend management review and increase their fidelity bond coverage to ensure compliance with the federal requirements.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Procurement
Material Weakness in Internal Control over Compliance
Criteria: 45 CFR 1631 requires that a non‐Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law.
Condition: Our testing detected two instances in which the transaction exceeded the Organization’s small purchase threshold of $4,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed.
Cause: There was a lapse in oversight of the internal control process ensuring a written evaluation was completed, detailing the Organization’s considerations over the procurement process.
Effect: Without completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult.
Questioned Costs: None reported based on assessment of comparative pricing readily available.
Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, two items exceeded the Organization’s small purchase threshold.
Repeat Finding from Prior Year: Yes. 2023‐004 reported a similar finding over procurement.
Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Procurement
Material Weakness in Internal Control over Compliance
Criteria: 45 CFR 1631 requires that a non‐Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law.
Condition: Our testing detected two instances in which the transaction exceeded the Organization’s small purchase threshold of $4,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed.
Cause: There was a lapse in oversight of the internal control process ensuring a written evaluation was completed, detailing the Organization’s considerations over the procurement process.
Effect: Without completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult.
Questioned Costs: None reported based on assessment of comparative pricing readily available.
Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, two items exceeded the Organization’s small purchase threshold.
Repeat Finding from Prior Year: Yes. 2023‐004 reported a similar finding over procurement.
Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests & Provisions – Accounting Requirements
Material Weakness in Internal Control over Compliance
Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk‐assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self‐insured.
Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risks from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents.
Policies and procedures must include the following requirements:
- Perform (and document) an annual risk assessment
- Resolve any risk findings or conclusions
- Maintain physical access controls for servers and storage rooms
- Develop and periodically test an emergency disaster prevention and recovery plan
- Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy‐to‐use restoration options
- Formally assign computer and data security responsibilities
Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions.
Risk assessment procedures will vary by recipient. However, at minimum, the process should:
• Identify the physical and digital assets susceptible to cyberattacks
• Identify risks to those assets (risks should be evaluated annually for changes)
• Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact
• Document the results of the risk assessment, including the development and implementation of appropriate controls
Condition: The Organization has not performed an annual risk assessment since 2021, nor tested an emergency disaster prevention and recovery plan.
Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023; however, no annual risk assessment and testing of an emergency disaster prevention and recovery plan was completed during 2024.
Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident.
Questioned Costs: None reported.
Context/Sampling: Sampling was not used.
Repeat Finding from Prior Year: Yes. 2023‐005 reported a similar finding.
Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests & Provisions – Accounting Requirements
Material Weakness in Internal Control over Compliance
Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk‐assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self‐insured.
Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risks from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents.
Policies and procedures must include the following requirements:
- Perform (and document) an annual risk assessment
- Resolve any risk findings or conclusions
- Maintain physical access controls for servers and storage rooms
- Develop and periodically test an emergency disaster prevention and recovery plan
- Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy‐to‐use restoration options
- Formally assign computer and data security responsibilities
Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions.
Risk assessment procedures will vary by recipient. However, at minimum, the process should:
• Identify the physical and digital assets susceptible to cyberattacks
• Identify risks to those assets (risks should be evaluated annually for changes)
• Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact
• Document the results of the risk assessment, including the development and implementation of appropriate controls
Condition: The Organization has not performed an annual risk assessment since 2021, nor tested an emergency disaster prevention and recovery plan.
Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023; however, no annual risk assessment and testing of an emergency disaster prevention and recovery plan was completed during 2024.
Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident.
Questioned Costs: None reported.
Context/Sampling: Sampling was not used.
Repeat Finding from Prior Year: Yes. 2023‐005 reported a similar finding.
Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests and Provisions – Bonding Requirements for Recipients
Significant Deficiency in Internal Control over Compliance and Noncompliance
Criteria: 45 CFR 1629 requires the auditee be bonded or have similar insurance coverage to indemnify recipients against losses resulting from fraudulent or dishonest acts committed by one or more employees, officers, directors, agents, volunteers, and third‐party contractors who handle LSC funds. The auditee must carry coverage at a minimum level of at least ten percent of its annualized funding level for the previous fiscal year.
Condition: The Organization’s fidelity bond coverage for 2024 does not meet the minimum level of at least ten percent of its annualized funding level for the previous fiscal year. Minimum coverage required during 2024 is calculated to be $206,414. The Organization’s fidelity bond coverage during 2024 is $200,000.
Cause: There was a lapse in oversight of the internal control process ensuring the fidelity bond coverage meets the minimum level required based upon the annualized funding level for the previous fiscal year.
Effect: Lack of compliance with minimum fidelity bond coverage could result in the Organization not being properly insured in the event of losses resulting from fraudulent or dishonest acts.
Questioned Costs: None reported.
Context/Sampling: No sampling was performed.
Repeat Finding from Prior Year: No
Recommendation: We recommend management review and increase their fidelity bond coverage to ensure compliance with the federal requirements.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests and Provisions – Bonding Requirements for Recipients
Significant Deficiency in Internal Control over Compliance and Noncompliance
Criteria: 45 CFR 1629 requires the auditee be bonded or have similar insurance coverage to indemnify recipients against losses resulting from fraudulent or dishonest acts committed by one or more employees, officers, directors, agents, volunteers, and third‐party contractors who handle LSC funds. The auditee must carry coverage at a minimum level of at least ten percent of its annualized funding level for the previous fiscal year.
Condition: The Organization’s fidelity bond coverage for 2024 does not meet the minimum level of at least ten percent of its annualized funding level for the previous fiscal year. Minimum coverage required during 2024 is calculated to be $206,414. The Organization’s fidelity bond coverage during 2024 is $200,000.
Cause: There was a lapse in oversight of the internal control process ensuring the fidelity bond coverage meets the minimum level required based upon the annualized funding level for the previous fiscal year.
Effect: Lack of compliance with minimum fidelity bond coverage could result in the Organization not being properly insured in the event of losses resulting from fraudulent or dishonest acts.
Questioned Costs: None reported.
Context/Sampling: No sampling was performed.
Repeat Finding from Prior Year: No
Recommendation: We recommend management review and increase their fidelity bond coverage to ensure compliance with the federal requirements.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Procurement
Material Weakness in Internal Control over Compliance
Criteria: 45 CFR 1631 requires that a non‐Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law.
Condition: Our testing detected two instances in which the transaction exceeded the Organization’s small purchase threshold of $4,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed.
Cause: There was a lapse in oversight of the internal control process ensuring a written evaluation was completed, detailing the Organization’s considerations over the procurement process.
Effect: Without completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult.
Questioned Costs: None reported based on assessment of comparative pricing readily available.
Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, two items exceeded the Organization’s small purchase threshold.
Repeat Finding from Prior Year: Yes. 2023‐004 reported a similar finding over procurement.
Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Procurement
Material Weakness in Internal Control over Compliance
Criteria: 45 CFR 1631 requires that a non‐Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law.
Condition: Our testing detected two instances in which the transaction exceeded the Organization’s small purchase threshold of $4,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed.
Cause: There was a lapse in oversight of the internal control process ensuring a written evaluation was completed, detailing the Organization’s considerations over the procurement process.
Effect: Without completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult.
Questioned Costs: None reported based on assessment of comparative pricing readily available.
Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, two items exceeded the Organization’s small purchase threshold.
Repeat Finding from Prior Year: Yes. 2023‐004 reported a similar finding over procurement.
Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests & Provisions – Accounting Requirements
Material Weakness in Internal Control over Compliance
Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk‐assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self‐insured.
Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risks from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents.
Policies and procedures must include the following requirements:
- Perform (and document) an annual risk assessment
- Resolve any risk findings or conclusions
- Maintain physical access controls for servers and storage rooms
- Develop and periodically test an emergency disaster prevention and recovery plan
- Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy‐to‐use restoration options
- Formally assign computer and data security responsibilities
Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions.
Risk assessment procedures will vary by recipient. However, at minimum, the process should:
• Identify the physical and digital assets susceptible to cyberattacks
• Identify risks to those assets (risks should be evaluated annually for changes)
• Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact
• Document the results of the risk assessment, including the development and implementation of appropriate controls
Condition: The Organization has not performed an annual risk assessment since 2021, nor tested an emergency disaster prevention and recovery plan.
Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023; however, no annual risk assessment and testing of an emergency disaster prevention and recovery plan was completed during 2024.
Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident.
Questioned Costs: None reported.
Context/Sampling: Sampling was not used.
Repeat Finding from Prior Year: Yes. 2023‐005 reported a similar finding.
Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance.
Views of Responsible Officials: Management is in agreement.
Legal Services Corporation
FFAL #09‐742018 Legal Services Corporation – Basic Field – Basic
FFAL #09‐742018 Legal Services Corporation – Basic Field – Native American
Special Tests & Provisions – Accounting Requirements
Material Weakness in Internal Control over Compliance
Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk‐assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self‐insured.
Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risks from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents.
Policies and procedures must include the following requirements:
- Perform (and document) an annual risk assessment
- Resolve any risk findings or conclusions
- Maintain physical access controls for servers and storage rooms
- Develop and periodically test an emergency disaster prevention and recovery plan
- Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy‐to‐use restoration options
- Formally assign computer and data security responsibilities
Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions.
Risk assessment procedures will vary by recipient. However, at minimum, the process should:
• Identify the physical and digital assets susceptible to cyberattacks
• Identify risks to those assets (risks should be evaluated annually for changes)
• Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact
• Document the results of the risk assessment, including the development and implementation of appropriate controls
Condition: The Organization has not performed an annual risk assessment since 2021, nor tested an emergency disaster prevention and recovery plan.
Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023; however, no annual risk assessment and testing of an emergency disaster prevention and recovery plan was completed during 2024.
Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident.
Questioned Costs: None reported.
Context/Sampling: Sampling was not used.
Repeat Finding from Prior Year: Yes. 2023‐005 reported a similar finding.
Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance.
Views of Responsible Officials: Management is in agreement.