FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-020
National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Military and Veterans Affairs (DMVA) did not follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. We noted DMVA did not maintain sufficient or accurate documentation to support it timely submitted a reimbursement request for 10 (26%) of 38 sampled cash draws. For the remaining 28 cash draws reviewed, DMVA did not timely submit the reimbursement requests for 4 (14%) sampled cash draws DMVA took between 88 to 369 days to process these requests.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
DMVA's process is to run departmental expenditure reports for each appendix by the fifteenth day of the following month in which the expenditures were incurred. The process to submit the Request for Advance or Reimbursement (SF-270) to the United States Property and Fiscal Office (USPFO) varies by appendix.
For construction appendices, DMVA sends the expenditure reports to its federal program manager for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the federal program manager approves the coding, DMVA prepares the SF-270 and sends it back to its federal program manager for final approval and submission to the USPFO.
For all other appendices, DMVA prepares the SF-270 using the expenditure reports and sends the SF-270 to the federal program managers for approval. For airbases, the federal program managers submit the SF-270 to the USPFO after it is approved.
Cause
DMVA informed us competing priorities contributed to its inability to timely process reimbursement requests. Also, DMVA indicated its controls were not sufficient to ensure the retention of documentation to support the timely submission of reimbursement requests.
Effect
DMVA limited its assurance it complied with the CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DMVA follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA.
Management Views
DMVA agrees with the finding.
FINDING 2024-021
National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Period of Performance - Extension Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DMVA did not timely submit extension requests for cooperative agreement (CA) appendices sent to the USPFO for 2 (8%) of 24 appendices requiring extension requests during fiscal year 2024. For these 2 appendices, DMVA submitted the requests 111 days late.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over the federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 2 CFR 200.308 states a recipient must notify the federal agency in writing with the supporting justification and a revised period of performance at least 10 calendar days before the conclusions of the period of performance.
The National Guard Bureau's Grants and Cooperative Agreement Policy Letter 21-07 indicates for projects and activities that cannot be completed before the end of a CA award's budget period of performance, the grantee must submit the extension request at least 10 days prior to the end of the period of performance.
Cause
DMVA's internal control and monitoring activities were not sufficient to ensure it timely submitted the required extension requests for CA appendices sent to the USPFO.
Effect
DMVA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of the CA appendices. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DMVA timely submit extension requests for CA appendices sent to the USPFO.
Management Views
DMVA agrees with the finding.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-023
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - PTMS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDOT did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. MDOT program staff utilize PTMS to approve subrecipient budget and payment requests. We noted MDOT did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT informed us an oversight occurred due to employee turnover.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over PTMS users.
Management Views
MDOT agrees with the finding.
FINDING 2024-024
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 2 (9%) of 23 sampled payments to ensure the requests were reasonable and appropriate.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
EGLE informed us it did not always follow the established process for reviewing and approving reimbursement requests for one grant.
Effect
EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate.
Management Views
EGLE agrees with the finding.
FINDING 2024-025
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to manual input into the Medical Services Administration Manual Payment System (MSAPay).
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure it documented its review and approval of respite grant payments in MSAPay.
Effect
These deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients.
Management Views
MDHHS agrees with the finding.
FINDING 2024-026
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) data reported to the U.S. Department of the Treasury. Our review of 9 sampled Workfront users noted:
a. DTMB did not maintain documentation to support it approved the system role for 5 sampled Workfront users.
b. DTMB did not ensure it properly approved 2 users prior to granting access to Workfront.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies in place at the time of approval.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully establish effective security management and access controls over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2024-027
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDOT, LEO, and the Michigan Strategic Fund (MSF) did not report to their subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. MDOT did not report for all 3 sampled CSLFRF subrecipients the following: UEI, FAIN, federal award date, subaward period of performance start and end date, subaward budget period start and end date, federal awarding agency name, ALN title, identification of whether the award is for research and development (R&D), indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and the closeout terms and conditions.
b. LEO did not report the correct FAIN for 1 of 3 sampled CSLFRF subrecipients.
c. MSF did not report one or more of the following for the 2 sampled CSLFRF subrecipients: identification of whether the award is for R&D, indirect cost rate for the federal award, and an approved federally recognized indirect cost rate for the subrecipient.
Criteria
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., MDOT informed us because of an oversight in the process of developing its subawards, it did not provide all required subaward information to subrecipients. MDOT believed it used the best available information at the time it developed and executed the subawards but later discovered the oversight.
For part b., LEO informed us because of an oversight, it did not use the correct FAIN when creating the grant agreement.
For part c., MSF's internal control was not sufficient to ensure it provided all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDOT, LEO, and MSF report to their subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MDOT, LEO, and MSF agree with the finding.
FINDING 2024-028
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subrecipient Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO, MSF, and EGLE did not properly monitor their subrecipients to ensure they complied with the Uniform Guidance. We noted:
a. LEO and MSF did not have a process to identify or document if their subrecipients required a single audit. Therefore, LEO and MSF did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. EGLE did not identify or document if its subrecipients required a single audit for 8 (67%) of 12 sampled subrecipients. We reviewed the federal audit clearinghouse (FAC) and noted 2 of the 8 subrecipients had single audit reports submitted to the FAC in fiscal year 2024.
Criteria
Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires the pass-through entity to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to monitor subrecipient single audits. MSF indicated it believes its current process was sufficient because it requires the subrecipients to notify MSF upon completion of their single audits.
For part b., EGLE informed us due to an increase in subrecipients and division of responsibilities, not all CSLFRF subrecipients were tracked for single audits.
Effect
LEO, MSF, and EGLE limited the State's assurance their subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to their records. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO, MSF, and EGLE properly monitor their subrecipients to ensure they comply with the Uniform Guidance.
Management Views
For part a., LEO agrees with the finding.
All three of MSF's subrecipient awards for the fiscal year were sampled totaling approximately $274,000 (0.3 percent of the total award). While MSF agrees with the finding that it did not have a written process to verify single audit compliance, management believes that MSF's risk assessment of subrecipients adequately determined that single audit verification was not required for two of its subrecipients since, based on all anticipated federal awards for the subrecipient, it was not expected that they would reach the expenditure threshold (2 CFR 200.332(f)). The third annually files a single audit, was expected to file a single audit, and did file a single audit.
For part b., EGLE agrees with the finding.
Auditor's Comments to Management Views
Regarding part a., MSF acknowledges it does not have a process to identify or document its review of subrecipient single audit reports. MSF did not provide documentation to support the award period or the amount of the subaward to these three subrecipients. Regardless of the amount of the subaward, federal regulation 2 CFR 200.501 indicates the $750,000 threshold is based on the subrecipient's total federal expenditures for all federal programs during its fiscal year and not based on a specific program's subaward amounts or expenditures. Also, MSF did not review the single audit report submitted to the FAC and determine if it was necessary to issue a management decision letter for audit findings affecting the subawards it issued to the subrecipient.
Therefore, the finding stands as written.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-029
Adult Education - Basic Grants to States, ALN 84.002, Subrecipient Monitoring - During-the-Award Monitoring and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not complete sufficient during-the-award monitoring of its subrecipients to ensure it complied with the Uniform Guidance. In addition, LEO did not accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
We noted:
a. LEO did not fully complete desk audits for all 92 subrecipients. Therefore, LEO did not review and monitor these subrecipients to ensure their compliance with program requirements.
b. LEO did not report the correct FAIN for all 92 subrecipients.
Criteria
Federal regulation 2 CFR 200.332(d) requires LEO to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved.
As part of its monitoring procedures, LEO completes an annual four-step desk audit of its subrecipients which includes review and approval of the subrecipient application narrative, budget, final expenditure report, and final narrative.
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO informed us competing priorities impacted its ability to complete the final two steps of the desk audits.
For part b., LEO indicated the incorrect FAIN on the subrecipient subawards was caused by a manual data entry error.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and LEO's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO complete sufficient during-the-award monitoring of its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-030
Rehabilitation Services Vocational Rehabilitation Grants to States, ALN 84.126, Reporting - Accuracy of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not submit accurate financial reports to the U.S. Department of Education for 2 of 4 sampled Vocational Rehabilitation Financial Reports (RSA-17). In these 2 RSA-17 reports, line items included incorrect expenditure amounts, resulting in overstating or understating the expenditures. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulation 2 CFR 200.302(b)(2) requires states to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include specific details for reporting information, such as expenditures and indirect costs made in the federal fiscal year for the grant year being reported.
Cause
LEO's internal control was not sufficient to detect data entry errors included in the submitted reports.
Effect
LEO may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of Rehabilitation Services Vocational Rehabilitation Grants to States funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO improve its internal control and submit accurate financial reports to the U.S. Department of Education.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-031
Twenty-First Century Community Learning Centers, ALN 84.287, Subrecipient Monitoring - Program Fiscal Reviews
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not sufficiently monitor the activities of its subrecipients to ensure federal awards are used for authorized purposes. We noted MiLEAP did not complete program fiscal reviews for all 26 subrecipients.
Criteria
Federal regulation 2 CFR 200.332(d) requires MiLEAP to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward
and the subaward performance goals are achieved.
As part of its monitoring procedures, MiLEAP conducts an annual program fiscal review of each subrecipient.
Cause
MiLEAP informed us limited resources contributed to its inability to sufficiently monitor its subrecipients.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MiLEAP's, noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP sufficiently monitor the activities of its subrecipients to ensure federal awards are used for authorized purposes.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-044
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - MiSACWIS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS).
We noted:
a. MDHHS did not maintain documentation for 1 (2%) of 45 sampled MiSACWIS incompatible role exception requests. Of the 44 forms received, we noted MDHHS did not properly approve 1 (2%) form prior to granting the exception request.
b. MDHHS did not document or properly review its annual recertification of 5 (13%) of 40 sampled MiSACWIS non-privileged user accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements annually for all non-privileged accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist.
Cause
For part a., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access.
For part b., MDHHS informed us the users' roles were not always recertified due to staff oversight.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists MDHHS cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over MiSACWIS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-045
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Non-Financial Eligibility Documentation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for 1 (5%) of 22 sampled TANF-funded assistance payments.
In this 1 instance, we noted MDHHS did not ensure the family's case record contained documentation to indicate household individuals were not in violation of their probation or parole requirements related to any offense in order to demonstrate the family was in need of TANF assistance.
Criteria
Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures applying to both the federal award and other activities of the state.
Cause
MDHHS informed us its controls were not sufficient to ensure all of the required verification documentation was appropriately maintained in the client's case record.
Effect
MDHHS may have made TANF-funded assistance payments to ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $13 - federally funded.
Recommendation
We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-046
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Inappropriate TANF-Funded Emergency Foster Care Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately consider a child's circumstances to ensure the child met eligibility requirements for 1 (17%) of 6 sampled TANF-funded emergency foster care case records. Our review disclosed because the child met Foster Care Title IV-E program requirements, the child did not meet TANF eligibility requirements.
Criteria
MDHHS's TANF State Plan allows MDHHS to use TANF funds for emergency foster care only if such care cannot be provided under Title IV-E. Administration for Children and Families' TANF Program Policy Questions and Answers indicate states may not use federal TANF or State maintenance of effort funds to take the place of any foster care maintenance payments provided under the federal foster care program.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures applying to both the federal award and other activities of the state.
Cause
MDHHS informed us the child welfare funding specialist did not timely update the funding determination because they were not aware the case manager uploaded the child's birth certificate.
Effect
MDHHS may have made emergency foster care payments on behalf of a child who did not qualify for TANF federal reimbursement. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,430 - federally funded.
Recommendation
We recommend MDHHS appropriately consider a child's circumstances to ensure the child meets TANF eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-047
Temporary Assistance for Needy Families, ALN 93.558, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for 1 of 3 sampled subrecipients.
b. MDHHS did not document its monitoring activities and any potential follow-up actions related to deficiencies noted during the review for 1 of 2 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and the subaward performance goals are achieved.
Cause
MDHHS believed its current process to monitor and evaluate subrecipients was sufficient to comply with program requirements. However, the documentation provided did not substantiate the procedures completed.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-048
Temporary Assistance for Needy Families, ALN 93.558, Special Tests and Provisions - Child Support Non-Cooperation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately and timely sanction TANF families who did not cooperate with establishing paternity and child support orders in 3 (8%) of the 40 sampled case records. MDHHS uses an automated interface between the Michigan Child Support Enforcement System and Bridges to identify and sanction TANF families not cooperating with establishing paternity and child support orders.
We noted:
a. In 2 of the 3 cases, the automated interface identified the TANF family was not cooperating, but the benefits did not stop and the clients' case records did not contain evidence the clients met good cause criteria for not cooperating.
b. In 1 of the 3 cases, the TANF family cooperated within the negative action period; however, the family was inappropriately sanctioned and benefits were stopped.
Criteria
Federal regulation 45 CFR 264.30 states MDHHS must deduct an amount equal to not less than 25% from the TANF-funded assistance that would otherwise be provided to the family of the individual or may deny the family any TANF-funded assistance. MDHHS's TANF State Plan states failure to cooperate in establishing paternity and pursuing child support for dependent children will result in TANF client ineligibility for a one-month minimum.
Cause
MDHHS's internal control did not prevent a client from being sanctioned inappropriately for 1 case. For the remaining 2 cases, MDHHS informed us the one-month sanction period for the child support non-cooperation was not applied because the case was in a non-ongoing mode, which requires certification of the case by all MDHHS programs because of a change in client circumstances.
Effect
MDHHS may have inappropriately paid TANF funds to individuals who were ineligible because of failure to comply with child support requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS appropriately and timely sanction TANF families who do not cooperate with establishing paternity and child support orders.
We also recommend MDHHS not sanction TANF families who timely cooperate with establishing paternity and child support orders.
Management Views
MDHHS disagrees with part a. of the finding. MDHHS's eligibility system, Bridges, was functioning as intended for the two cases identified because each case was in a non-ongoing mode at the time the automated interface occurred. A case is placed into this status if the client circumstances have changed for any MDHHS program within Bridges and the case requires a redetermination. TANF policy cannot mandate Bridges to change the non-ongoing mode because each impacted program is required to be certified prior to changing the status. MDHHS policy does not mandate a specific length of time a case can be in a non-ongoing status. The results of the redetermination can impact the client's non-cooperation status and therefore the client should not be sanctioned until the certification by all programs is complete.
For one of the cases, the client was appropriately sanctioned after the case review was complete and for the other case, the client was determined to be in compliance once the case was removed from the non-ongoing status mode.
MDHHS agrees with part b. of the finding.
Auditor's Comments to Management Views
MDHHS did not timely initiate sanctions against clients identified as not cooperating with establishing paternity and child support orders. Federal regulation 45 CFR 233.10 states when there is a change in circumstances, payment may not continue beyond one month after the change. For the 2 exceptions MDHHS disagrees, we noted MDHHS continued to make payments for up to 2 months after benefits should have stopped.
Therefore, the finding stands as written.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-049
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, and Subrecipient Monitoring - Salesforce Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not fully establish effective security management and access controls over the Salesforce users. Program subrecipients utilize Salesforce to submit performance data, contract budgets, and expenditure submissions related to refugee resettlement. Also, LEO program staff utilize Salesforce to manage subgrants and review and approve subrecipient contract budgets and payment requests. We noted LEO did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Salesforce. As a result, an increased risk exists LEO cannot ensure the security of the Salesforce application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective security management and access controls over Salesforce users.
Management Views
LEO agrees with the finding.
FINDING 2024-050
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Assistance to Ineligible Refugees
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility. Our review disclosed MDHHS did not maintain sufficient documentation of its efforts to evaluate clientsʹ eligibility; examples of documentation include support for the verification of nationality, identification, U.S. entry date, and mandatory work for 22 (55%) of 40 sampled refugee cash assistance payments.
Criteria
Federal regulations 45 CFR 400.53 and 45 CFR 400.75(a) require refugees to meet general eligibility requirements for refugee cash assistance, including requirements that eligible refugees meet immigration status and identification conditions; reside in the United States less than the eligibility period determined by HHS's Office of Refugee Resettlement; and cannot, without good cause, fail or refuse to meet the work registry requirements. Also, federal regulation 45 CFR 400.28 requires MDHHS provide for the maintenance of operational records as are necessary for federal monitoring of the State's REAP.
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in clientsʹ case records to support eligibility.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have provided assistance to ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $892 - federal share.
Recommendation
We recommend LEO and MDHHS maintain documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
LEO and MDHHS agree with the finding.
FINDING 2024-051
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - Accuracy and Completeness of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not have an adequate process in place to ensure it submitted accurate and complete financial reports to HHS's Office of Refugee Resettlement (ORR). For all 4 sampled Federal Financial Reports (SF-425) and 1 of the 2 sampled Cash and Medical Assistance (CMA) Quarterly Reports on Expenditures and Obligations (ORR-2), LEO did not retain auditable submitted information, such as detailed expenditure data and explanations for the expenditure adjustments.
Criteria
Federal regulation 45 CFR 75.361 requires financial records, supporting documents, statistical records, and all other nonfederal entity records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report or from the date of the submission of the quarterly or annual financial report.
Federal regulation 45 CFR 75.302(b)(2) requires the State to submit accurate and complete financial data in accordance with a grant program's reporting requirements. Also, federal regulation 45 CFR 400.11(c) indicates the State must submit financial status reports, which include information such as federal expenditures, unliquidated obligations, and cash receipts and disbursements.
Cause
LEO informed us staff turnover combined with an inconsistent methodology when compiling data, adjusting expenditures, and assigning coding resulted in inaccurate and incomplete financial reports.
Effect
We consider this to be a material weakness and material noncompliance because LEO may have diminished ORR's ability to ensure appropriate oversight and monitoring of Refugee Support Services and CMA funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO establish an adequate process to ensure it submits accurate and complete financial reports to ORR.
Management Views
LEO agrees with the finding.
FINDING 2024-052
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Background
LEO informed us it did not report any subaward information from October 2023 through March 2024 and then inappropriately calculated the subaward amounts reported from April 2024 through September 2024. In accordance with federal regulation 2 CFR 200.514, we determined additional compliance testing was not necessary because of ineffective internal control.
Condition
LEO did not ensure it reported or accurately and timely reported all REAP subaward information as required by FFATA.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires LEO to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
LEO indicated it had not implemented a process to accumulate and submit the required information to the federal system until April 2024. Also, LEO informed us the report it used to accumulate subaward information did not contain accurate subaward amounts.
Effect
LEO grant information was not accurate or timely available for public access through the federal website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance because LEO did not ensure it reported, or accurately and timely reported, all subaward information as required by FFATA. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO report REAP subaward information as required by FFATA.
Management Views
LEO agrees with the finding.
FINDING 2024-053
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Subrecipient Monitoring - Subrecipient Audits and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not properly monitor its subrecipients to ensure they complied with the Uniform Guidance. In addition, LEO did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. LEO did not have a process to identify or document if the subrecipients required a single audit. Therefore, LEO did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. LEO did not report the federal award date for 2 of 6 sampled REAP subrecipients.
c. LEO did not accurately report one or more of the following for all 6 sampled REAP subrecipients: UEI and FAIN.
Criteria
Federal regulation 45 CFR 75.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 45 CFR 75.352(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 45 CFR 75.521(d) requires LEO to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by FAC.
In addition, federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to review subrecipient single audits.
For parts b. and c., LEO informed us because of an oversight, it did not always use the appropriately updated grant agreement templates with the correct subaward information for fiscal year 2024.
Effect
LEO limited the State's assurance its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to LEO's records. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance because LEO did not complete any monitoring of its subrecipients' single audits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO monitor its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO ensure it reports or accurately reports to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-054
Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2024 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the LIHEAP clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2024-055
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, client contribution payment, and proof of energy crisis for 11 (26%) of 42 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy, effective through November 30, 2023, states the payment amount must match the amount on the past due or shut-off notice. MDHHS revised its policy, effective November 13, 2023, to indicate the payment should be processed using the most advantageous amount to benefit the client up to the service cap. In addition, policy indicates the client contribution payment or payment by another agency must be verified before authorizing the department's portion of the remaining cost of services.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure county/district office specialists adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $4,397- federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-056
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted:
a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms.
b. MSP did not review privileged accounts on a semiannual basis.
c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days.
Cause
MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager.
Known Questioned Costs
None.
Recommendation
We recommend MSP fully establish effective security management and access controls over EM Grants Manager.
Management Views
MSP agrees with the finding.
FINDING 2024-057
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MSP did not ensure it reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 7 sampled subawards totaling $4,324,919 and noted MSP did not report subaward information for 1 subaward totaling $1,926,228.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MSP to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MSP informed us because of an oversight and the transition to a new grant management system, it did not report the subaward information.
Effect
MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MSP ensure it reports the Disaster Grants - Public Assistance subaward information as required by FFATA.
Management Views
MSP agrees with the finding.
FINDING 2024-056
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted:
a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms.
b. MSP did not review privileged accounts on a semiannual basis.
c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days.
Cause
MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager.
Known Questioned Costs
None.
Recommendation
We recommend MSP fully establish effective security management and access controls over EM Grants Manager.
Management Views
MSP agrees with the finding.
FINDING 2024-057
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MSP did not ensure it reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 7 sampled subawards totaling $4,324,919 and noted MSP did not report subaward information for 1 subaward totaling $1,926,228.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MSP to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MSP informed us because of an oversight and the transition to a new grant management system, it did not report the subaward information.
Effect
MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MSP ensure it reports the Disaster Grants - Public Assistance subaward information as required by FFATA.
Management Views
MSP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-018
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective access controls, individuals may retain inappropriate access to the MI-WIC database.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database.
Management Views
MDHHS and DTMB agree with the finding.
FINDING 2024-019
WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us that because of an oversight, it did not document the testing results.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over
MI-WIC.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-020
National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Military and Veterans Affairs (DMVA) did not follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. We noted DMVA did not maintain sufficient or accurate documentation to support it timely submitted a reimbursement request for 10 (26%) of 38 sampled cash draws. For the remaining 28 cash draws reviewed, DMVA did not timely submit the reimbursement requests for 4 (14%) sampled cash draws DMVA took between 88 to 369 days to process these requests.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
DMVA's process is to run departmental expenditure reports for each appendix by the fifteenth day of the following month in which the expenditures were incurred. The process to submit the Request for Advance or Reimbursement (SF-270) to the United States Property and Fiscal Office (USPFO) varies by appendix.
For construction appendices, DMVA sends the expenditure reports to its federal program manager for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the federal program manager approves the coding, DMVA prepares the SF-270 and sends it back to its federal program manager for final approval and submission to the USPFO.
For all other appendices, DMVA prepares the SF-270 using the expenditure reports and sends the SF-270 to the federal program managers for approval. For airbases, the federal program managers submit the SF-270 to the USPFO after it is approved.
Cause
DMVA informed us competing priorities contributed to its inability to timely process reimbursement requests. Also, DMVA indicated its controls were not sufficient to ensure the retention of documentation to support the timely submission of reimbursement requests.
Effect
DMVA limited its assurance it complied with the CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DMVA follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA.
Management Views
DMVA agrees with the finding.
FINDING 2024-021
National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Period of Performance - Extension Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DMVA did not timely submit extension requests for cooperative agreement (CA) appendices sent to the USPFO for 2 (8%) of 24 appendices requiring extension requests during fiscal year 2024. For these 2 appendices, DMVA submitted the requests 111 days late.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over the federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 2 CFR 200.308 states a recipient must notify the federal agency in writing with the supporting justification and a revised period of performance at least 10 calendar days before the conclusions of the period of performance.
The National Guard Bureau's Grants and Cooperative Agreement Policy Letter 21-07 indicates for projects and activities that cannot be completed before the end of a CA award's budget period of performance, the grantee must submit the extension request at least 10 days prior to the end of the period of performance.
Cause
DMVA's internal control and monitoring activities were not sufficient to ensure it timely submitted the required extension requests for CA appendices sent to the USPFO.
Effect
DMVA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of the CA appendices. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend DMVA timely submit extension requests for CA appendices sent to the USPFO.
Management Views
DMVA agrees with the finding.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-058
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-001.
FINDING 2024-059
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-002.
FINDING 2024-060
Unemployment Insurance, ALN 17.225
See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2024, Finding 2024-003.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-022
Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over AASHTOWare users.
Management Views
MDOT agrees with the finding.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-023
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - PTMS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDOT did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. MDOT program staff utilize PTMS to approve subrecipient budget and payment requests. We noted MDOT did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
MDOT informed us an oversight occurred due to employee turnover.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS.
Known Questioned Costs
None.
Recommendation
We recommend MDOT fully establish effective security management and access controls over PTMS users.
Management Views
MDOT agrees with the finding.
FINDING 2024-024
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 2 (9%) of 23 sampled payments to ensure the requests were reasonable and appropriate.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
EGLE informed us it did not always follow the established process for reviewing and approving reimbursement requests for one grant.
Effect
EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate.
Management Views
EGLE agrees with the finding.
FINDING 2024-025
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to manual input into the Medical Services Administration Manual Payment System (MSAPay).
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure it documented its review and approval of respite grant payments in MSAPay.
Effect
These deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients.
Management Views
MDHHS agrees with the finding.
FINDING 2024-026
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) data reported to the U.S. Department of the Treasury. Our review of 9 sampled Workfront users noted:
a. DTMB did not maintain documentation to support it approved the system role for 5 sampled Workfront users.
b. DTMB did not ensure it properly approved 2 users prior to granting access to Workfront.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies in place at the time of approval.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully establish effective security management and access controls over Workfront.
Management Views
DTMB agrees with the finding.
FINDING 2024-027
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDOT, LEO, and the Michigan Strategic Fund (MSF) did not report to their subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. MDOT did not report for all 3 sampled CSLFRF subrecipients the following: UEI, FAIN, federal award date, subaward period of performance start and end date, subaward budget period start and end date, federal awarding agency name, ALN title, identification of whether the award is for research and development (R&D), indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and the closeout terms and conditions.
b. LEO did not report the correct FAIN for 1 of 3 sampled CSLFRF subrecipients.
c. MSF did not report one or more of the following for the 2 sampled CSLFRF subrecipients: identification of whether the award is for R&D, indirect cost rate for the federal award, and an approved federally recognized indirect cost rate for the subrecipient.
Criteria
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., MDOT informed us because of an oversight in the process of developing its subawards, it did not provide all required subaward information to subrecipients. MDOT believed it used the best available information at the time it developed and executed the subawards but later discovered the oversight.
For part b., LEO informed us because of an oversight, it did not use the correct FAIN when creating the grant agreement.
For part c., MSF's internal control was not sufficient to ensure it provided all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDOT, LEO, and MSF report to their subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MDOT, LEO, and MSF agree with the finding.
FINDING 2024-028
Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Subrecipient Monitoring - Subrecipient Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO, MSF, and EGLE did not properly monitor their subrecipients to ensure they complied with the Uniform Guidance. We noted:
a. LEO and MSF did not have a process to identify or document if their subrecipients required a single audit. Therefore, LEO and MSF did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. EGLE did not identify or document if its subrecipients required a single audit for 8 (67%) of 12 sampled subrecipients. We reviewed the federal audit clearinghouse (FAC) and noted 2 of the 8 subrecipients had single audit reports submitted to the FAC in fiscal year 2024.
Criteria
Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires the pass-through entity to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to monitor subrecipient single audits. MSF indicated it believes its current process was sufficient because it requires the subrecipients to notify MSF upon completion of their single audits.
For part b., EGLE informed us due to an increase in subrecipients and division of responsibilities, not all CSLFRF subrecipients were tracked for single audits.
Effect
LEO, MSF, and EGLE limited the State's assurance their subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to their records. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO, MSF, and EGLE properly monitor their subrecipients to ensure they comply with the Uniform Guidance.
Management Views
For part a., LEO agrees with the finding.
All three of MSF's subrecipient awards for the fiscal year were sampled totaling approximately $274,000 (0.3 percent of the total award). While MSF agrees with the finding that it did not have a written process to verify single audit compliance, management believes that MSF's risk assessment of subrecipients adequately determined that single audit verification was not required for two of its subrecipients since, based on all anticipated federal awards for the subrecipient, it was not expected that they would reach the expenditure threshold (2 CFR 200.332(f)). The third annually files a single audit, was expected to file a single audit, and did file a single audit.
For part b., EGLE agrees with the finding.
Auditor's Comments to Management Views
Regarding part a., MSF acknowledges it does not have a process to identify or document its review of subrecipient single audit reports. MSF did not provide documentation to support the award period or the amount of the subaward to these three subrecipients. Regardless of the amount of the subaward, federal regulation 2 CFR 200.501 indicates the $750,000 threshold is based on the subrecipient's total federal expenditures for all federal programs during its fiscal year and not based on a specific program's subaward amounts or expenditures. Also, MSF did not review the single audit report submitted to the FAC and determine if it was necessary to issue a management decision letter for audit findings affecting the subawards it issued to the subrecipient.
Therefore, the finding stands as written.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-029
Adult Education - Basic Grants to States, ALN 84.002, Subrecipient Monitoring - During-the-Award Monitoring and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not complete sufficient during-the-award monitoring of its subrecipients to ensure it complied with the Uniform Guidance. In addition, LEO did not accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
We noted:
a. LEO did not fully complete desk audits for all 92 subrecipients. Therefore, LEO did not review and monitor these subrecipients to ensure their compliance with program requirements.
b. LEO did not report the correct FAIN for all 92 subrecipients.
Criteria
Federal regulation 2 CFR 200.332(d) requires LEO to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved.
As part of its monitoring procedures, LEO completes an annual four-step desk audit of its subrecipients which includes review and approval of the subrecipient application narrative, budget, final expenditure report, and final narrative.
Federal regulation 2 CFR 200.332(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO informed us competing priorities impacted its ability to complete the final two steps of the desk audits.
For part b., LEO indicated the incorrect FAIN on the subrecipient subawards was caused by a manual data entry error.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and LEO's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO complete sufficient during-the-award monitoring of its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO accurately report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-030
Rehabilitation Services Vocational Rehabilitation Grants to States, ALN 84.126, Reporting - Accuracy of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not submit accurate financial reports to the U.S. Department of Education for 2 of 4 sampled Vocational Rehabilitation Financial Reports (RSA-17). In these 2 RSA-17 reports, line items included incorrect expenditure amounts, resulting in overstating or understating the expenditures. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulation 2 CFR 200.302(b)(2) requires states to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include specific details for reporting information, such as expenditures and indirect costs made in the federal fiscal year for the grant year being reported.
Cause
LEO's internal control was not sufficient to detect data entry errors included in the submitted reports.
Effect
LEO may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of Rehabilitation Services Vocational Rehabilitation Grants to States funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO improve its internal control and submit accurate financial reports to the U.S. Department of Education.
Management Views
LEO agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-031
Twenty-First Century Community Learning Centers, ALN 84.287, Subrecipient Monitoring - Program Fiscal Reviews
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not sufficiently monitor the activities of its subrecipients to ensure federal awards are used for authorized purposes. We noted MiLEAP did not complete program fiscal reviews for all 26 subrecipients.
Criteria
Federal regulation 2 CFR 200.332(d) requires MiLEAP to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward
and the subaward performance goals are achieved.
As part of its monitoring procedures, MiLEAP conducts an annual program fiscal review of each subrecipient.
Cause
MiLEAP informed us limited resources contributed to its inability to sufficiently monitor its subrecipients.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MiLEAP's, noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP sufficiently monitor the activities of its subrecipients to ensure federal awards are used for authorized purposes.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-008
MDE, IT General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*.
LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States.
The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special
Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster.
MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys.
Condition
DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted:
a. DTMB did not remove access for a user who had departed from State employment.
b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers.
After bringing these matters to management's attention, DTMB corrected the issues noted.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts.
Cause
DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers.
Known Questioned Costs
None.
Recommendation
We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers.
Management Views
DTMB agrees with the finding.
FINDING 2024-009
MDE, Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted:
a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users.
b. MDE did not fully implement an effective annual recertification process of non-privileged accounts:
(1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND.
(2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months.
MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted.
Cause
MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-010
MDE, Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted:
See Schedule of Findings and Questioned Costs for chart/table.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDE informed us that because of an oversight, it did not document the testing results and close the work items.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDE fully implement an effective change management process over MiND and NexSys.
Management Views
MDE agrees with the finding.
FINDING 2024-032
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - MWBC Child Care System User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not fully establish effective user access controls over the Michigan Workforce Background Check (MWBC) Child Care System. MiLEAP used the MWBC Child Care System to conduct and record the results of the child care providers' criminal history checks. We noted MiLEAP did not maintain documentation for 1 of the 2 MWBC Child Care System application security agreements reviewed. Of the 1 form received, we noted MiLEAP did not properly approve the form prior to granting access to the MWBC Child Care System.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions.
Cause
MiLEAP informed us its internal control activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access or make inappropriate updates to the MWBC Child Care System.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP fully establish effective user access controls over the MWBC Child Care System.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-033
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 5 (8%) of the 60 cases we reviewed. Our review disclosed:
a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 5 (8%) of 60 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services.
b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 1 (2%) of 60 cases reviewed, which is also reported in part a. We determined this did not affect the client's eligibility for child care services or level of benefits.
Criteria
Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MiLEAP to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MiLEAP identify additional eligibility requirements in its CCDF State Plan. MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider.
Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the FMAP rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan.
Cause
MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered all required verification documentation in the client's case record to support eligibility.
Effect
MiLEAP may have made payments on behalf of ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $586 - federal share.
• $257 - State share of costs MiLEAP inappropriately used as matching.
Recommendation
We recommend MiLEAP and MDHHS maintain sufficient documentation and ensure Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
MiLEAP and MDHHS agree with the finding.
FINDING 2024-034
CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements
See Schedule of Findings and Questioned Costs for chart/table.
Background
In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2023, LARA was responsible for performing
on-site inspections and licensing of child care providers. LARA completed on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period.
Condition
MiLEAP and LARA did not ensure inspections to support child care providers were performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 53 sampled licensed providers for the CCDF Cluster payments disclosed:
a. LARA did not perform annual on-site inspections for 3 (6%) licensed providers.
b. MiLEAP did not ensure timely annual on-site inspections for 2 (4%) licensed providers. We noted MILEAP performed the on-site inspections 15 and 16 months after the last on-site inspection.
Criteria
Federal regulation 45 CFR 98.41 states the lead agency (MiLEAP) shall have in effect, under State, local, or tribal law, requirements designed, implemented, and enforced to protect the health and safety of children and provide the minimum health and safety topics applicable to child care providers of services. The regulation also allows for MiLEAP to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards.
Federal regulation 45 CFR 98.42(b)(2) states MiLEAP shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MiLEAP must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards.
Section 5 of MiLEAP's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations.
Cause
MiLEAP informed us limited resources and transition to a new system impacted the timeliness of some inspections.
Effect
MiLEAP and LARA may not have identified the child care providers potential noncompliance with all applicable health and safety requirements in a timely manner, resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP ensure inspections to support child care providers are performed in accordance with applicable health and safety requirements to be eligible for CCDF Cluster payments.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-035
CCDF Cluster, ALN 93.575 and 93.596, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP and MDE did not have a process to ensure they submitted subaward information as required by the FFATA of 2006 and federal guidance. MDE's process is to collect pertinent data on the first of the month, verify the data by the twenty-fifth day of the month, and submit the data to FSRS by the end of the month. As of March 2025, the U.S. General Services Administration retired FSRS, and all subaward reporting data and functionality are available on the System for Award Management (SAM).
We reviewed SAM and MDE's FFATA documentation and could not determine if MDE reported or timely reported all 10 sampled CCDF Cluster subawards totaling $6,171,004.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on the FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards.
Cause
MDE informed us it believes all data was submitted appropriately to FSRS but may not be available in SAM due to federal system issues.
Effect
MiLEAP and MDE grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. We consider this to be a material weakness and material noncompliance because MDE did not complete any FFATA reporting. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP and MDE submit subaward information as required by FFATA and federal guidance.
Management Views
MiLEAP and MDE agree with the finding.
FINDING 2024-036
CCDF Cluster, ALN 93.575 and 93.596, Subrecipient Monitoring - Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MiLEAP did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted MiLEAP did not report or accurately report the UEI, federal award project description, indirect cost rate, or the period of performance end date for 1 of 4 sampled CCDF subawards.
Criteria
Federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
MiLEAP informed us because of an oversight, it did not always provide all required subaward information to subrecipients.
Effect
Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MiLEAP report to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
MiLEAP agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-006
ADP Security Program
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed
5 significant systems and noted:
a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024.
b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems.
Criteria
Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program.
Effect
MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs.
Management Views
Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding.
MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate.
For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected.
Auditor's Comments to Management Views
Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-037
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS General Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS and DTMB had not fully implemented effective general controls over the Michigan Adult Integrated Management System (MiAIMS) database. MiAIMS is utilized to record Home Help Program (HHP) case management activities and process payment authorization. HHP payments totaled $353.3 million in fiscal year 2024. We noted:
a. DTMB did not fully implement effective security configurations for the MiAIMS database. The MiAIMS database management system* contained configuration settings prone to potential security risks.
b. DTMB did not review all privileged MiAIMS database accounts on a semiannual basis.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.060.02 and SOM Oracle Database Security Procedure specify DTMB must follow security parameters from the Center for Internet Security benchmarks, and database administrators are required to set appropriate database security configurations.
SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually.
Cause
DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies.
Effect
Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiAIMS. As a result, an increased risk exists MDHHS and DTMB cannot ensure the security of the MiAIMS database and its data.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS and DTMB fully implement effective general controls over the MiAIMS database.
Management Views
For part a., DTMB agrees it had not fully implemented all State of Michigan database specific configurations during the audit period. However, DTMB disagrees these specific configurations created significant security risks. DTMB has been and continues to follow the manufacturer's recommendations regarding security configurations.
For part b., DTMB agrees with the finding.
Auditor's Comments to Management Views
DTMB and MDHHS acknowledged they did not fully implement specific database configurations; therefore, the potential security risks still exist.
The finding stands as written.
FINDING 2024-038
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - MiAIMS User Access
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully establish effective user access controls over MiAIMS. We noted MDHHS did not properly approve 3 (14%) of 22 sampled new users' application security agreements prior to granting access to MiAIMS.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to the State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job function.
Cause
MDHHS informed us it did not always follow the established process for documenting approvals of the application security agreements.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MiAIMS.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully establish effective user access controls over MiAIMS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-039
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Transitional Medicaid Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure renewals were processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Our query of 2,111 Medicaid beneficiaries receiving transitional medical assistance for more than 13 months disclosed 1,802 (85%) beneficiaries continued to receive improper benefit payments after the transitional eligibility period ended. MDHHS began conducting full eligibility renewals in June 2023 following the ending of the continuous enrollment provisions under the Families First Coronavirus Response Act of 2020, Public Law 116-127, as amended, on March 31, 2023. Therefore, our review of beneficiaries only included those beneficiaries eligible for transitional medical assistance with a benefit period from June 1, 2023 through August 31, 2023.
Criteria
In accordance with federal regulation 42 CFR 435.10, MDHHS's Medicaid State Plan specifies it provides extended medical coverage for up to 12 months to families with dependent children terminated solely because of earnings, hours of employment, or loss of earned income disregards (although the provision expired in 1998, this is still permitted according to federal law 42 USC 1396r-6). Also, MDHHS developed policies and procedures related to the "transitional medical assistance" Medicaid coverage eligibility group providing coverage for up to 12 months.
MDHHS elected to exercise the option extended to the states by CMS to delay procedural disenrollments for beneficiaries for one month while the State conducts targeted renewal outreach from June 2023 through the end of the PHE unwinding period. This strategy offered by CMS assists the states during the process of returning to normal operations following the expiration of the continuous enrollment condition in place during the PHE. Our review did not include beneficiaries who had accumulated 13 months of transitional medical assistance due to the above provision.
Cause
MDHHS informed us because the PHE unwinding period impacted a large volume of cases, it did not update the beneficiary's eligibility status for all cases. In addition, MDHHS indicated there was a breakdown of internal processes causing the delay in timely termination of some beneficiaries within the transitional medical assistance Medicaid eligibility group.
Effect
MDHHS paid Medicaid providers $676,704 during fiscal year 2024 on behalf of 1,802 beneficiaries in the transitional Medicaid eligibility group for medical services provided after the allowed 13-month transitional period had expired. The 1,802 beneficiaries received an average of 67 additional transitional Medicaid coverage days, ranging from 30 to 184 days. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $439,451 - federal share.
• $237,252 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure renewals are processed on a timely basis for beneficiaries receiving transitional medical assistance Medicaid coverage.
Management Views
MDHHS agrees with the finding.
FINDING 2024-040
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $3,373 for 11 (37%) of 30 payments sampled from a $2,001,375 population of beneficiary payments with no corresponding Medicaid coverage.
Criteria
Federal regulation 42 CFR 435.1002(b) indicates federal funding is available only for services provided to eligible beneficiaries.
Cause
MDHHS informed us that because of system issues in Bridges, inaccurate eligibility information from Bridges was interfaced into CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility.
Effect
MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs exceed $25,000.
• $2,256 - federal share of payments made to providers on behalf of ineligible beneficiaries.
• $1,117 - State share of payments made to providers on behalf of ineligible beneficiaries.
Recommendation
We recommend MDHHS ensure beneficiary eligibility is updated in CHAMPS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-041
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not prevent or timely recover payments, totaling $342, for 3 (20%) of 15 sampled clients who were hospitalized while receiving HHP services and no longer met eligibility requirements.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 140 prohibits payment for HHP services on days a client is unavailable due to hospitalization, except the caregiver may receive payment of HHP services on the day a client is admitted to a hospital if HHP services were completed before the time the client was admitted to the hospital. Also, ASM Section 140 allows payment for HHP services on the day a client is discharged from the hospital.
Cause
MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, MDHHS indicated staff oversight impacted the timeliness and accuracy of recoupments.
Effect
MDHHS paid a total of $342 from October 1, 2023 through September 30, 2024 for sampled clients who did not qualify for HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $223 - federal share of amounts paid for HHP services while sampled clients were hospitalized.
• $119 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-042
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible Home Help Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain an updated medical needs form to ensure the HHP beneficiary met eligibility requirements for 1 of 3 HHP payments sampled.
The specified time frame for needed services, as indicated on the beneficiary's initial medical needs form, elapsed before the date of the HHP payment and an updated medical needs form was not completed as of the date of our review.
Criteria
Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under the HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services.
ASM Section 115 requires most HHP clients to obtain certification from a Medicaid-enrolled medical professional of the clients' medical need for services only at the initial opening of a case before qualifying for services unless special circumstances exist, such as the medical needs form has a specified time frame for needed services and the time frame has elapsed.
Cause
MDHHS informed us it did not consistently track and document when medical needs forms with a specified time frame were expected to expire.
Effect
MDHHS may have made payments on behalf of an ineligible HHP beneficiary. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $910 - federal share made to a provider on behalf of an ineligible beneficiary.
• $492 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS obtain an updated medical needs form to support beneficiary eligibility for HHP payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-043
Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $724,105 for 10,836 FFS claims for beneficiaries simultaneously enrolled in an MHP.
Criteria
According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies applying to the federal award.
Cause
MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility.
Effect
MDHHS made improper FFS practitioner payments of $724,105 from October 1, 2023 through September 30, 2024. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
• $511,402 - federal share of improper payments made to providers from October 1, 2023 through September 30, 2024.
• $212,703 - State share of costs MDHHS inappropriately used as matching.
Recommendation
We recommend MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-044
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - MiSACWIS Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS).
We noted:
a. MDHHS did not maintain documentation for 1 (2%) of 45 sampled MiSACWIS incompatible role exception requests. Of the 44 forms received, we noted MDHHS did not properly approve 1 (2%) form prior to granting the exception request.
b. MDHHS did not document or properly review its annual recertification of 5 (13%) of 40 sampled MiSACWIS non-privileged user accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements annually for all non-privileged accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist.
Cause
For part a., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access.
For part b., MDHHS informed us the users' roles were not always recertified due to staff oversight.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists MDHHS cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over MiSACWIS.
Management Views
MDHHS agrees with the finding.
FINDING 2024-045
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Non-Financial Eligibility Documentation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for 1 (5%) of 22 sampled TANF-funded assistance payments.
In this 1 instance, we noted MDHHS did not ensure the family's case record contained documentation to indicate household individuals were not in violation of their probation or parole requirements related to any offense in order to demonstrate the family was in need of TANF assistance.
Criteria
Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures applying to both the federal award and other activities of the state.
Cause
MDHHS informed us its controls were not sufficient to ensure all of the required verification documentation was appropriately maintained in the client's case record.
Effect
MDHHS may have made TANF-funded assistance payments to ineligible clients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $13 - federally funded.
Recommendation
We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-046
Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Inappropriate TANF-Funded Emergency Foster Care Assistance
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately consider a child's circumstances to ensure the child met eligibility requirements for 1 (17%) of 6 sampled TANF-funded emergency foster care case records. Our review disclosed because the child met Foster Care Title IV-E program requirements, the child did not meet TANF eligibility requirements.
Criteria
MDHHS's TANF State Plan allows MDHHS to use TANF funds for emergency foster care only if such care cannot be provided under Title IV-E. Administration for Children and Families' TANF Program Policy Questions and Answers indicate states may not use federal TANF or State maintenance of effort funds to take the place of any foster care maintenance payments provided under the federal foster care program.
In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures applying to both the federal award and other activities of the state.
Cause
MDHHS informed us the child welfare funding specialist did not timely update the funding determination because they were not aware the case manager uploaded the child's birth certificate.
Effect
MDHHS may have made emergency foster care payments on behalf of a child who did not qualify for TANF federal reimbursement. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,430 - federally funded.
Recommendation
We recommend MDHHS appropriately consider a child's circumstances to ensure the child meets TANF eligibility requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-047
Temporary Assistance for Needy Families, ALN 93.558, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted:
a. MDHHS did not utilize the risk assessment results to determine the type of monitoring appropriate for 1 of 3 sampled subrecipients.
b. MDHHS did not document its monitoring activities and any potential follow-up actions related to deficiencies noted during the review for 1 of 2 sampled subrecipients.
Criteria
Federal regulation 45 CFR 75.352(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and the subaward performance goals are achieved.
Cause
MDHHS believed its current process to monitor and evaluate subrecipients was sufficient to comply with program requirements. However, the documentation provided did not substantiate the procedures completed.
Effect
Insufficient monitoring of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements.
Management Views
MDHHS agrees with the finding.
FINDING 2024-048
Temporary Assistance for Needy Families, ALN 93.558, Special Tests and Provisions - Child Support Non-Cooperation
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not appropriately and timely sanction TANF families who did not cooperate with establishing paternity and child support orders in 3 (8%) of the 40 sampled case records. MDHHS uses an automated interface between the Michigan Child Support Enforcement System and Bridges to identify and sanction TANF families not cooperating with establishing paternity and child support orders.
We noted:
a. In 2 of the 3 cases, the automated interface identified the TANF family was not cooperating, but the benefits did not stop and the clients' case records did not contain evidence the clients met good cause criteria for not cooperating.
b. In 1 of the 3 cases, the TANF family cooperated within the negative action period; however, the family was inappropriately sanctioned and benefits were stopped.
Criteria
Federal regulation 45 CFR 264.30 states MDHHS must deduct an amount equal to not less than 25% from the TANF-funded assistance that would otherwise be provided to the family of the individual or may deny the family any TANF-funded assistance. MDHHS's TANF State Plan states failure to cooperate in establishing paternity and pursuing child support for dependent children will result in TANF client ineligibility for a one-month minimum.
Cause
MDHHS's internal control did not prevent a client from being sanctioned inappropriately for 1 case. For the remaining 2 cases, MDHHS informed us the one-month sanction period for the child support non-cooperation was not applied because the case was in a non-ongoing mode, which requires certification of the case by all MDHHS programs because of a change in client circumstances.
Effect
MDHHS may have inappropriately paid TANF funds to individuals who were ineligible because of failure to comply with child support requirements. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS appropriately and timely sanction TANF families who do not cooperate with establishing paternity and child support orders.
We also recommend MDHHS not sanction TANF families who timely cooperate with establishing paternity and child support orders.
Management Views
MDHHS disagrees with part a. of the finding. MDHHS's eligibility system, Bridges, was functioning as intended for the two cases identified because each case was in a non-ongoing mode at the time the automated interface occurred. A case is placed into this status if the client circumstances have changed for any MDHHS program within Bridges and the case requires a redetermination. TANF policy cannot mandate Bridges to change the non-ongoing mode because each impacted program is required to be certified prior to changing the status. MDHHS policy does not mandate a specific length of time a case can be in a non-ongoing status. The results of the redetermination can impact the client's non-cooperation status and therefore the client should not be sanctioned until the certification by all programs is complete.
For one of the cases, the client was appropriately sanctioned after the case review was complete and for the other case, the client was determined to be in compliance once the case was removed from the non-ongoing status mode.
MDHHS agrees with part b. of the finding.
Auditor's Comments to Management Views
MDHHS did not timely initiate sanctions against clients identified as not cooperating with establishing paternity and child support orders. Federal regulation 45 CFR 233.10 states when there is a change in circumstances, payment may not continue beyond one month after the change. For the 2 exceptions MDHHS disagrees, we noted MDHHS continued to make payments for up to 2 months after benefits should have stopped.
Therefore, the finding stands as written.
FINDING 2024-001
SIGMA High-Risk Activity Monitoring
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Department of Labor and Economic Opportunity (LEO) did not sufficiently monitor its
high-risk activity reports to ensure users performed only authorized override actions in the Statewide Integrated Governmental Management Applications* (SIGMA). We noted LEO did
not document its review of or include all override transactions in 1 of 3 sampled reports.
Criteria
Title 2, Part 200, section 303 of the Code of Federal Regulations* (CFR) and federal regulation 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality*, integrity*, and availability* of State of Michigan information.
State of Michigan (SOM) Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse.
Cause
LEO informed us its process was not always sufficient to ensure document retention of its review of high-risk activity reports. Also, LEO indicated an error in its query criteria resulted in the missing override transaction.
Effect
Individuals may have made inappropriate override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists LEO did not identify inappropriate or high-risk activity associated with SIGMA transactions.
Known Questioned Costs
None.
Recommendation
We recommend LEO sufficiently monitor its high-risk activity reports to ensure users performed only authorized override actions in SIGMA.
Management Views
LEO agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-049
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, and Subrecipient Monitoring - Salesforce Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not fully establish effective security management and access controls over the Salesforce users. Program subrecipients utilize Salesforce to submit performance data, contract budgets, and expenditure submissions related to refugee resettlement. Also, LEO program staff utilize Salesforce to manage subgrants and review and approve subrecipient contract budgets and payment requests. We noted LEO did not review user access semiannually for privileged accounts or annually for all other accounts.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts.
Cause
LEO informed us that because of staffing limitations, some processes could not be followed or established.
Effect
Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Salesforce. As a result, an increased risk exists LEO cannot ensure the security of the Salesforce application and data used to issue payments to subrecipients of federal awards.
Known Questioned Costs
None.
Recommendation
We recommend LEO fully establish effective security management and access controls over Salesforce users.
Management Views
LEO agrees with the finding.
FINDING 2024-050
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Assistance to Ineligible Refugees
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility. Our review disclosed MDHHS did not maintain sufficient documentation of its efforts to evaluate clientsʹ eligibility; examples of documentation include support for the verification of nationality, identification, U.S. entry date, and mandatory work for 22 (55%) of 40 sampled refugee cash assistance payments.
Criteria
Federal regulations 45 CFR 400.53 and 45 CFR 400.75(a) require refugees to meet general eligibility requirements for refugee cash assistance, including requirements that eligible refugees meet immigration status and identification conditions; reside in the United States less than the eligibility period determined by HHS's Office of Refugee Resettlement; and cannot, without good cause, fail or refuse to meet the work registry requirements. Also, federal regulation 45 CFR 400.28 requires MDHHS provide for the maintenance of operational records as are necessary for federal monitoring of the State's REAP.
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in clientsʹ case records to support eligibility.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have provided assistance to ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $892 - federal share.
Recommendation
We recommend LEO and MDHHS maintain documentation to support client eligibility was determined in accordance with eligibility requirements.
Management Views
LEO and MDHHS agree with the finding.
FINDING 2024-051
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - Accuracy and Completeness of Financial Reports
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not have an adequate process in place to ensure it submitted accurate and complete financial reports to HHS's Office of Refugee Resettlement (ORR). For all 4 sampled Federal Financial Reports (SF-425) and 1 of the 2 sampled Cash and Medical Assistance (CMA) Quarterly Reports on Expenditures and Obligations (ORR-2), LEO did not retain auditable submitted information, such as detailed expenditure data and explanations for the expenditure adjustments.
Criteria
Federal regulation 45 CFR 75.361 requires financial records, supporting documents, statistical records, and all other nonfederal entity records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report or from the date of the submission of the quarterly or annual financial report.
Federal regulation 45 CFR 75.302(b)(2) requires the State to submit accurate and complete financial data in accordance with a grant program's reporting requirements. Also, federal regulation 45 CFR 400.11(c) indicates the State must submit financial status reports, which include information such as federal expenditures, unliquidated obligations, and cash receipts and disbursements.
Cause
LEO informed us staff turnover combined with an inconsistent methodology when compiling data, adjusting expenditures, and assigning coding resulted in inaccurate and incomplete financial reports.
Effect
We consider this to be a material weakness and material noncompliance because LEO may have diminished ORR's ability to ensure appropriate oversight and monitoring of Refugee Support Services and CMA funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO establish an adequate process to ensure it submits accurate and complete financial reports to ORR.
Management Views
LEO agrees with the finding.
FINDING 2024-052
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Background
LEO informed us it did not report any subaward information from October 2023 through March 2024 and then inappropriately calculated the subaward amounts reported from April 2024 through September 2024. In accordance with federal regulation 2 CFR 200.514, we determined additional compliance testing was not necessary because of ineffective internal control.
Condition
LEO did not ensure it reported or accurately and timely reported all REAP subaward information as required by FFATA.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires LEO to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
LEO indicated it had not implemented a process to accumulate and submit the required information to the federal system until April 2024. Also, LEO informed us the report it used to accumulate subaward information did not contain accurate subaward amounts.
Effect
LEO grant information was not accurate or timely available for public access through the federal website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance because LEO did not ensure it reported, or accurately and timely reported, all subaward information as required by FFATA. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend LEO report REAP subaward information as required by FFATA.
Management Views
LEO agrees with the finding.
FINDING 2024-053
Refugee and Entrant Assistance State/Replacement Designee Administered Programs, ALN 93.566, Subrecipient Monitoring - Subrecipient Audits and Subaward Information
See Schedule of Findings and Questioned Costs for chart/table.
Condition
LEO did not properly monitor its subrecipients to ensure they complied with the Uniform Guidance. In addition, LEO did not report or accurately report to its subrecipients all subaward information as required by the Uniform Guidance. We noted:
a. LEO did not have a process to identify or document if the subrecipients required a single audit. Therefore, LEO did not monitor these subrecipients to ensure the status or submission of their single audit reports and did not determine whether a management decision letter was needed.
b. LEO did not report the federal award date for 2 of 6 sampled REAP subrecipients.
c. LEO did not accurately report one or more of the following for all 6 sampled REAP subrecipients: UEI and FAIN.
Criteria
Federal regulation 45 CFR 75.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 45 CFR 75.352(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 45 CFR 75.521(d) requires LEO to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by FAC.
In addition, federal regulation 45 CFR 75.352(a) requires all pass-through entities ensure every subaward includes certain information.
Cause
For part a., LEO indicated because of limited staff resources it did not have a process in place to review subrecipient single audits.
For parts b. and c., LEO informed us because of an oversight, it did not always use the appropriately updated grant agreement templates with the correct subaward information for fiscal year 2024.
Effect
LEO limited the State's assurance its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to LEO's records. Also, subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance because LEO did not complete any monitoring of its subrecipients' single audits. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend LEO monitor its subrecipients to ensure they comply with the Uniform Guidance.
We also recommend LEO ensure it reports or accurately reports to its subrecipients all subaward information as required by the Uniform Guidance.
Management Views
LEO agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-054
Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2024 TSA, which were last reviewed and updated in its fiscal year 2015 TSA.
Criteria
Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years.
Cause
Treasury informed us the recertification of the LIHEAP clearance patterns was not completed because of inadequate procedures.
Effect
Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend Treasury review and recertify the accuracy of the clearance patterns specified in the TSA.
Management Views
Treasury agrees with the finding.
FINDING 2024-055
Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, client contribution payment, and proof of energy crisis for 11 (26%) of 42 sampled LIHEAP-funded State Emergency Relief (SER) energy payments.
Criteria
Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy.
MDHHS policy requires county/district office caseworkers to verify and include certain income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy, effective through November 30, 2023, states the payment amount must match the amount on the past due or shut-off notice. MDHHS revised its policy, effective November 13, 2023, to indicate the payment should be processed using the most advantageous amount to benefit the client up to the service cap. In addition, policy indicates the client contribution payment or payment by another agency must be verified before authorizing the department's portion of the remaining cost of services.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure county/district office specialists adhered to established policies and procedures.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $4,397- federal share.
Recommendation
We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-002
Bridges Interface Controls
See Schedule of Findings and Questioned Costs for chart/table.
Background
The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges.
Condition
DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques.
Cause
DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development.
Effect
DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed.
Management Views
DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results.
For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely.
Auditor's Comments to Management Views*
Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval.
Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period.
DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely.
Therefore, the finding stands as written.
FINDING 2024-003
Bridges Security Management and Access Controls*
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS had not established effective security management and access controls over Bridges users.
We noted:
a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests.
b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports.
c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges.
d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts.
e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist.
Cause
For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports.
Effect
We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP).
Known Questioned Costs
None.
Recommendation
We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004
Bridges Change Management Process
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records.
Criteria
Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
SOM Technical Standard 1340.00.060.04 requires the business owner perform
post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires
each test type to have its own set of documentation.
State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes.
Cause
MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals.
Effect
Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS fully implement an effective change management process over Bridges.
Management Views
MDHHS agrees with the finding.
FINDING 2024-005
Income Eligibility and Verification System
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels.
Condition
MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted:
a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 13 (17%) of 76 cases.
b. For 7 (50%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 14 (18%) of 76 cases reviewed, of which 11 are also reported in part a.
c. MDHHS had not fully established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For 1 (9%) of 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility.
d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies.
e. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period.
f. MDHHS and DTMB did not process the Internal Revenue Service (IRS) Wage and Pension Match records for all applicants and recipients.
g. MDHHS and DTMB did not timely receive and process the Social Security Administration deceased records for all applicants and recipients for three months of the audit period.
Criteria
Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 273.2(f)(9) requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require the state agency to timely document information obtained through IEVS both when an adverse action is and is not instituted.
Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the IRS at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility.
MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification.
Cause
For parts a. and b., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete.
For part c., MDHHS believes it had a sufficient process in place to review and monitor electronic notifications during fiscal year 2024. However, the process did not substantiate the reviews completed.
For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship.
For part e., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges.
For part f., MDHHS and DTMB's internal control was not sufficient to ensure they processed the file transfers because of a misunderstanding of the nature of the data contained in the file transfers.
For part g., MDHHS informed us staff turnover contributed to a delay in renewing the federal subscription. Also, MDHHS and DTMB indicated they expected the receive file to contain only three months of data; instead, they received a complete base file and, because of the file size, they cannot currently process the file.
Effect
We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Undeterminable.
Recommendations
We recommend MDHHS and DTMB request and obtain IEVS information for all recipients.
We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs.
Management Views
MDHHS agrees with parts a., b., d., f., and g. of the finding. MDHHS disagrees with parts c. and e. of the finding.
For part c., MDHHS disagrees that a process is not fully established to monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. MDHHS had policies and procedures in effect during fiscal year 2024 to help ensure monitoring of electronic notifications was taking place. Review of IEVS information is fully incorporated into the case read procedure governed by Bridges Administrative Manual 301 and detailed further in desk aids and reading guides. The Economic Stability Administration (ESA) provides regular direction and reminders of case read requirements via ESA Memos.
For part e., MDHHS disagrees that IEVS information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a
12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous.
Auditor's Comments to Management Views
Regarding part c., although MDHHS provided various guidance to the caseworkers regarding the utilization of IEVS information, the guidance did not result in the maintenance of sufficient documentation to support caseworkers considered and utilized IEVS information, as noted in part a.
Regarding part e., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. MDHHS's policy for continuous eligibility does not include the Healthy Michigan Plan. Also, the Center for Medicaid and CHIP Services (CMCS) Informational Bulletin for Medicaid and CHIP Renewal Requirements does not distinguish between MAGI and non-MAGI beneficiaries when it comes to renewals or changes in circumstances except for pregnant women. Further, the bulletin indicates when a state has information indicating a change in a beneficiary's circumstances, it must act promptly to determine the effect on eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not utilize IEVS data exchanges to identify whether eligibility was erroneously granted to its MAGI-based recipients enrolled in the Medicaid Cluster Healthy Kids, CHIP Healthy Kids, and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative. Federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342 require MDHHS to terminate benefits, regardless of continuous eligibility, if any of the above circumstances are identified.
Therefore, the finding stands as written.
FINDING 2024-007
CHAMPS Eligibility Interface Errors
See Schedule of Findings and Questioned Costs for chart/table.
Background
MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into the Community Health Automated Medicaid Processing System (CHAMPS), MDHHS's system used to process medical claims and payments.
Condition
MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 7 (47%) which had been excluded from eligibility interface processing.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the GAO's FISCAM indicates interface error handling and reconciliation procedures should reasonably ensure all transactions are accounted for and all errors are identified, isolated, analyzed, and corrected in a timely manner.
Cause
MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices.
Effect
MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster, REAP, and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-012
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility for 7 (12%) of 60 Medicaid and 33 (55%) of 60 CHIP cases. Our review disclosed:
a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 2 (3%) of 60 Medicaid and 10 (17%) of 60 CHIP cases reviewed.
b. MDHHS did not maintain case file documentation supporting the beneficiary eligibility determination; examples of documentation include MAGI-based income verification results, other income support, and signed applications for 4 (7%) of 60 Medicaid and 23 (38%) of 60 CHIP cases reviewed.
c. MDHHS did not determine beneficiary eligibility within the required time frame for 1 (2%) of 60 Medicaid cases reviewed.
Criteria
Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulations 42 CFR 435.914 and 42 CFR 457.965 require case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Federal regulation 42 CFR 435.912(c) requires MDHHS to determine eligibility and provide notice of the decision within 90 days for applicants who apply for Medicaid on the basis of disability and 45 days for all other applicants.
MDHHS Bridges Administrative Manual 300, The Case Record, indicates a case record includes documents and information related to a given case arranged in a series of packets and contained in a folder identified by a case name, grantee ID, or case number. A case record consists of both paper case records and electronic case files (ECF). The paper case record and ECF contain all forms, documents, and other evidence relevant to the group's current and past eligibility. Unless captured in Bridges the case record must document the facts essential to the eligibility determination and actions taken by the local office regarding the case.
Cause
MDHHS's internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required documentation in beneficiaries' case records to support eligibility determinations. Also, MDHHS's internal control did not ensure county/district office caseworkers timely reviewed beneficiaries' case records.
Effect
We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 12% Medicaid and 55% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs less than $25,000 if it is likely total questioned costs would exceed $25,000.
• $6,697 - federal share.
• $2,299 - State share of costs MDHHS inappropriately used as matching.
Recommendations
We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements.
We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements.
We further recommend MDHHS ensure eligibility determinations are made timely.
Management Views
MDHHS agrees with the identified exceptions for parts a. and c. of the finding. However, MDHHS disagrees that 3 Medicaid cases and 20 Children's Health Insurance Program (CHIP) cases with MAGI determinations cited in part b. did not have case file documentation supporting the beneficiary eligibility determination. The Centers for Medicare and Medicaid Services (CMS) has determined that a reasonable compatibility indicator can be used for CMS audit purposes to determine if the attested income information was electronically verified for MAGI cases and MDHHS disagrees that documentation was not maintained to support the eligibility determination.
The SOM MiIntegrate system communicates with various State and federal electronic trusted data sources and sends the information from these sources, along with the beneficiaries' attested income, to the SOM MAGI Rules Engine where the MAGI eligibility determination is made. As part of the MAGI eligibility determination, a reasonable compatibility test is completed to determine if beneficiary/applicant attested income is within a specified percentage of the electronic trusted data sources or if the attested and verified income are below the threshold for the applicable program. The results of the MAGI eligibility determination are sent back to MiIntegrate using an Account Transfer (AT) packet that contains the results. MiIntegrate then communicates the results to the SOM MAGI Viewer and Bridges using an AT packet and Bridges stores the AT packet number only that can be used to view the details of the AT packet within the SOM MAGI Viewer. The version of the AT packet within the MAGI Viewer also contains a reasonable compatibility indicator that documents the outcome of the reasonable compatibility test and supports the SOM MAGI Rules Engine eligibility decision.
MDHHS stores the AT packet information, including facts essential to the eligibility determination, within MiIntegrate and the MAGI Viewer instead of Bridges to help protect and secure the federal income tax data and unemployment data used for the determination. The AT packet for each individual determination can be retrieved from the MAGI Viewer using the AT packet number stored in each beneficiary's case file within Bridges. MDHHS is not aware of any federal regulations that preclude MDHHS from storing this information in a separate system to help secure the data and restrict access as required by federal and state law.
Auditor's Comments to Management Views
Regarding the MAGI beneficiary eligibility documentation cited in part b., the CMS's Payment Error Rate Measurement (PERM) Manual indicates if states use electronic verification to verify eligibility elements there should be an indicator in the eligibility system, i.e., Bridges, showing the State verified the element, including the result of the verification. Also, federal regulations 42 CFR 935.914 and 42 CFR 457.965 require MDHHS to maintain facts in the case file to support the eligibility determination. The AT packet number does not include the reasonable compatibility indicator. Therefore, it does not provide sufficient detail within the case file, defined by MDHHS as records captured in Bridges, to demonstrate MDHHS verified the income or the caseworker confirmed the result of the verification.
Therefore, the finding stands as written.
FINDING 2024-013
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely.
On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified that it incorrectly recorded $25.6 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2024.
Criteria
Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury prescribing specific methods of drawing down federal funds for selected large programs.
Cause
MDHHS implemented a system change to correct eligibility classifications in Bridges for new cases in April 2021. Based on mitigation strategies developed by the Centers for Medicare and Medicaid Services (CMS) to ensure children did not lose eligibility, MDHHS was not able to update existing cases during the public health emergency (PHE). All new cases are being correctly routed, but MDHHS is continuing to update existing cases following the end of the PHE because of a higher number of renewal and limited staff resources.
Effect
MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
For the CHIP cash management compliance requirement noted, we consider this to be a material weakness and material noncompliance because the $25.6 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 5% of total CHIP expenditures.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely.
Management Views
MDHHS agrees with the finding.
FINDING 2024-014
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, Integrated Care Organization (ICO) entities, a home help provider, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures.
Criteria
Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935.
Cause
For the PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, and PBM, MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS staff relies on the entities to inform them when ownership changes occur. For the home help provider, MDHHS indicated it did not have a signed provider agreement on file due to an isolated staff oversight. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures.
Effect
MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendations
We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, ICO entities, home help providers, and its PBM.
We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures.
Management Views
MDHHS agrees with the finding.
FINDING 2024-015
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures reports (CMS-64 and CMS-21 reports).
We noted:
a. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the CMS-64 and CMS-21 reports, resulting in late reporting for items recorded in the second and fourth quarters of fiscal year 2024.
b. MDHHS did not have an adequate process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting.
c. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were calculated using the correct federal medical assistance percentage (FMAP) rate for 1 (4%) of 27 Medicaid overpayments and 1 (20%) of 5 CHIP overpayments.
Criteria
Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 and CMS-21 reports. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount.
Cause
For part a., MDHHS informed us staff oversight resulted in MDHHS's late reporting.
For part b., MDHHS believes it has an adequate process in place to identify overpayments returned late and calculate corresponding interest, but the process was not formally documented.
For part c., MDHHS indicated system issues contributed to the application of the incorrect FMAP rate.
Effect
MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 and CMS-21 reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-016
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure 5 of 8 sampled managed care entitiesʹ medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports.
The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care.
Criteria
Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports.
Cause
MDHHS informed us it did not set sufficient expectations with all managed care entities that a separately attached comparison is mandatory and did not reject MLR submissions for entities who failed to attach a comparison with the audited financial reports.
Effect
MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports.
Management Views
MDHHS agrees with the finding.
FINDING 2024-017
Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure an independent audit of its managed care entities encounter and financial data was completed and submitted for all significant components necessary to meet audit requirements. Also, MDHHS did not ensure the audits were posted to its website at least once every three years. This included 15 managed care organizations (MCOs), 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2024.
Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries.
Criteria
Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website.
Cause
MDHHS informed us it contracted for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP. However, the comprehensive medical record review exceeded the audit activity time frames outlined within the scope of the contract, and not all audit activities were completed during fiscal year 2024.
Effect
Failure to ensure the accuracy of data could affect the development of capitation rates based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure an independent audit is completed for all significant components necessary to meet audit requirements, submitted, and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities.
Management Views
MDHHS agrees with the finding.
FINDING 2024-011
MDHHS, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MDHHS did not ensure it reported or timely reported all subaward information as required by the Federal Funding Accountability and Transparency Act (FFATA) of 2006. Our results are summarized by Assistance Listing Number (ALN) in the following table:
See Schedule of Findings and Questioned Costs for chart/table.
We noted MDHHS did not report any subaward information for 1 (2%) of 57 sampled subawards. Of the 56 subawards in the FFATA Subaward Reporting System (FSRS), MDHHS did not timely submit subaward information for 49 (88%) sampled subawards.
Criteria
Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MDHHS informed us the subrecipients did not have registered or activated unique entity identifier (UEI) accounts, which prevented timely submission. Other contributing factors include inaccurate Electronic Grants Administration and Management System account code and funding source fields, which impacted the query used to obtain certain FFATA data elements.
Effect
MDHHS grant information was not available or timely available for public access through the website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MDHHS ensure it reports or timely reports all subaward information as required by FFATA.
Management Views
MDHHS agrees with the finding.
FINDING 2024-056
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted:
a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms.
b. MSP did not review privileged accounts on a semiannual basis.
c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days.
Cause
MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager.
Known Questioned Costs
None.
Recommendation
We recommend MSP fully establish effective security management and access controls over EM Grants Manager.
Management Views
MSP agrees with the finding.
FINDING 2024-057
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MSP did not ensure it reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 7 sampled subawards totaling $4,324,919 and noted MSP did not report subaward information for 1 subaward totaling $1,926,228.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MSP to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MSP informed us because of an oversight and the transition to a new grant management system, it did not report the subaward information.
Effect
MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MSP ensure it reports the Disaster Grants - Public Assistance subaward information as required by FFATA.
Management Views
MSP agrees with the finding.
FINDING 2024-056
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls
See Schedule of Findings and Questioned Costs for chart/table.
Condition
The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted:
a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms.
b. MSP did not review privileged accounts on a semiannual basis.
c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024.
Criteria
Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards.
According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information.
SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days.
Cause
MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures.
Effect
Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager.
Known Questioned Costs
None.
Recommendation
We recommend MSP fully establish effective security management and access controls over EM Grants Manager.
Management Views
MSP agrees with the finding.
FINDING 2024-057
Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting
See Schedule of Findings and Questioned Costs for chart/table.
Condition
MSP did not ensure it reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 7 sampled subawards totaling $4,324,919 and noted MSP did not report subaward information for 1 subaward totaling $1,926,228.
Criteria
Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MSP to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made.
Cause
MSP informed us because of an oversight and the transition to a new grant management system, it did not report the subaward information.
Effect
MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance.
Known Questioned Costs
None.
Recommendation
We recommend MSP ensure it reports the Disaster Grants - Public Assistance subaward information as required by FFATA.
Management Views
MSP agrees with the finding.