Audit 358389

Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Special Tests & Provisions – Accounting Requirements Significant Deficiency in Internal Control over Compliance Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self-insured. Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risk from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents. Policies and procedures must include the following requirements:  Perform (and document) an annual risk assessment  Resolve any risk findings or conclusions  Maintain physical access controls for servers and storage rooms  Develop and periodically test an emergency disaster prevention and recovery plan  Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy-to-use restoration options  Formally assign computer and data security responsibilities Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions. Risk assessment procedures will vary by recipient. However, at minimum, the process should:  Identify the physical and digital assets susceptible to cyberattacks  Identify risks to those assets (risks should be evaluated annually for changes)  Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact  Document the results of the risk assessment, including the development and implementation of appropriate controls Condition: The Organization did not perform an annual risk assessment during 2024 and did not test an emergency disaster prevention and recovery plan. Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023. The Organization continued to make progress with their technology improvement plan put into place towards the end of 2022; however, no annual risk assessment and testing of an emergency disaster prevent and recovery plan was completed during 2024. Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year: Yes – 2023-002 Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance. Views of Responsible Officials: Management is in agreement.

Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Eligibility Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria: 45 CFR 1644.4 establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. 45 CFR 1626.6 requires the auditee shall require all applicants for legal assistance who claim to be citizens to attest in writing in a standard form provided by the Corporation that they are citizens, unless the only service provided for a citizen is brief advice and consultation by telephone, or by other non-in-person means, which does not include continuous representation. 45 CFR 1626.4(e) requires the auditee to document the client presented an immigration document by making a note in the client's file stating that a staff member has seen the document, the type of document, the client’s alien registration number, the date of the document, and the date of the review including a staff member’s signature when the documents were reviewed. Condition: Testing identified one case in which the U.S. Citizen Attestation was not obtained and one case in which documentation was not obtained and retained within the case file detailing immigration documents being received and reviewed. Cause: There was a lapse in oversight of the internal control process ensuring case files include the required documentation to ensure cases are in compliance with the applicable federal standards. Effect: Lack of compliance with designed internal controls over case files could result in the Organization using funds for cases that may not be eligible for reimbursement. Questioned Costs: None reported. Context/Sampling: A nonstatistical sample of 60 cases out of more than 250 cases opened during 2024 were selected for eligibility testing. Repeat Finding from Prior Year: Yes – 2023-003 Recommendation: We recommend management review the internal control process to ensure U.S. Citizen Attestation forms are signed and retained and documentation of immigration documents are obtained and documented in the file when required. Views of Responsible Officials: Management is in agreement.

Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Special Tests & Provisions – Accounting Requirements Significant Deficiency in Internal Control over Compliance Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self-insured. Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risk from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents. Policies and procedures must include the following requirements:  Perform (and document) an annual risk assessment  Resolve any risk findings or conclusions  Maintain physical access controls for servers and storage rooms  Develop and periodically test an emergency disaster prevention and recovery plan  Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy-to-use restoration options  Formally assign computer and data security responsibilities Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions. Risk assessment procedures will vary by recipient. However, at minimum, the process should:  Identify the physical and digital assets susceptible to cyberattacks  Identify risks to those assets (risks should be evaluated annually for changes)  Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact  Document the results of the risk assessment, including the development and implementation of appropriate controls Condition: The Organization did not perform an annual risk assessment during 2024 and did not test an emergency disaster prevention and recovery plan. Cause: Management became aware of these compliance requirements during the Organization’s audit for the year ended December 31, 2023. The Organization continued to make progress with their technology improvement plan put into place towards the end of 2022; however, no annual risk assessment and testing of an emergency disaster prevent and recovery plan was completed during 2024. Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year: Yes – 2023-002 Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance. Views of Responsible Officials: Management is in agreement.

Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Eligibility Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria: 45 CFR 1644.4 establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. 45 CFR 1626.6 requires the auditee shall require all applicants for legal assistance who claim to be citizens to attest in writing in a standard form provided by the Corporation that they are citizens, unless the only service provided for a citizen is brief advice and consultation by telephone, or by other non-in-person means, which does not include continuous representation. 45 CFR 1626.4(e) requires the auditee to document the client presented an immigration document by making a note in the client's file stating that a staff member has seen the document, the type of document, the client’s alien registration number, the date of the document, and the date of the review including a staff member’s signature when the documents were reviewed. Condition: Testing identified one case in which the U.S. Citizen Attestation was not obtained and one case in which documentation was not obtained and retained within the case file detailing immigration documents being received and reviewed. Cause: There was a lapse in oversight of the internal control process ensuring case files include the required documentation to ensure cases are in compliance with the applicable federal standards. Effect: Lack of compliance with designed internal controls over case files could result in the Organization using funds for cases that may not be eligible for reimbursement. Questioned Costs: None reported. Context/Sampling: A nonstatistical sample of 60 cases out of more than 250 cases opened during 2024 were selected for eligibility testing. Repeat Finding from Prior Year: Yes – 2023-003 Recommendation: We recommend management review the internal control process to ensure U.S. Citizen Attestation forms are signed and retained and documentation of immigration documents are obtained and documented in the file when required. Views of Responsible Officials: Management is in agreement.